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Preface 



CSL is the annual conference of the European Association for Computer Science 
Logic (EACSL). CSL 2000 is the 14th such annual conference, thus witnessing 
the importance and sustained international interest in the application of meth- 
ods from mathematical logic to computer science. The current conference was 
organized by the Mathematics Institute and the Computer Science Institute of 
the Ludwig-Maximilians-Universitat Miinchen (LMU), with generous financial 
support from the Deutsche Forschungsgemeinschaft, Forschungsinstitut fiir ange- 
wandte Softwaretechnologie (FAST e.V.), Miinchener Universitatsgesellschaft 
e.V., and Siemens AG. Our sponsors’ generosity enabled, among other things, 
stipends for the financial support of students as well as of researchers from East- 
ern Europe. 

Topics in the call for papers for CSL 2000 included: automated deduction 
and interactive theorem proving, categorical logic and topological semantics, con- 
structive mathematics and type theory, domain theory, equational logic and term 
rewriting, finite model theory, database theory, higher order logic, lambda and 
combinatory calculi, logical aspects of computational complexity, logical foun- 
dations of programming paradigms, logic programming and constraints, linear 
logic, modal and temporal logics, model checking, program extraction, program 
logics and semantics, program specification, transformation and verification. The 
invited speakers were: Moshe Vardi (Houston), Paul Beame (Washington), An- 
dreas Blass (Ann Arbor), Egon Borger (Pisa), Yuri Gurevich (Redmond), Bruno 
Poizat (Lyons), Wolfram Schulte (Redmond), Saharon Shelah (Jerusalem), and 
Colin Sterling (Edinburgh). Special thanks to Moshe Vardi for being willing to 
speak in the place of Miklos Ajtai (Almaden), who could not attend the meeting. 

The day of 24 August 2000, during the week-long CSL 2000 meeting, was 
reserved for the Gurevich Symposium, a special, one-day tribute to the scientific 
contributions of Professor Yuri Gurevich, at the occasion of his 60th birthday. 
Many of the previously listed invited speakers delivered a talk at the Gurevich 
Symposium. As editors of the proceedings, we would like to dedicate this volume 
of the Springer Lecture Notes in Computer Science to Professor Gurevich. 

We would like to thank the Program Committee, the referees, and our spon- 
sors for making this conference possible. A special thanks goes to the Organizing 
Committee for its professional work ranging from practical to editorial matters. 
Finally, thanks to the assistance of the authors, who formatted their articles us- 
ing D4J;]Xwith Springer macros. This allowed rapid production of the proceedings 
first distributed at the conference. 
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Yuri Gurevich: The Evolution of a Research Life from 
Algebra through Logic to Computer Science 
by Egon Borger (University of Pisa) 



Yuri Gurevich is the man whose life embraces three worlds — Russia, Israel, and 
United States — and whose research spans three disciplines — algebra, logic, and 
computer science — all of which shaped the 20th century. In each of these re- 
search areas Gurevich set milestones and became a leading figure. Indeed the 
outstanding constant in his life is his courage and strength to think about the 
fundamentals which underly problems of impact in the field. 

He was born on May 7, 1940, in Nikolayev (Ukraine) and was moved by life 
through Stalingrad (41-42), Ghimkent (Uzbekistan, 42-44), Gheliabinsk (44-59, 
school and polytechnic) to Sverdlovsk where he studied, graduated, and taught 
at the Ural University (59-64, 65-71) and where he married Zoe, a student of 
mathematics and later system programmer who has given him two daughters, 
Hava and Naomi, and accompanies his life. 

Gurevich started his research in algebra where he became famous through 
his work on ordered abelian groups. For his diploma in 1962 he solved [1]^ one 
of the problems which was listed as open in Petr Kontorovich’s algebra semi- 
nar. Gurevich learned logic from Kleene’s Introduction to Metamathematics and 
in 1962 heard about Tarski’s program of classifying elementary theories into 
decidable and undecidable. A year after Tarski and Smielev announced the de- 
cidability of the elementary theory of ordered abelian groups but then found an 
error in their proof, Gurevich proved the decidability of the first-order theory of 
ordered abelian groups [3], which became his PhD thesis (1964) and made him 
an assistant professor at the University of Krasnoyarsk (64-65). 

Since the theorems in the then known algebra of ordered abelian groups 
were not first-order, and the standard extensions of classical first-order logic 
(like monadic second-order logic) give rise to undecidable theories, Gurevich 
wondered whether there is a logic that fits ordered abelian groups, so that the 
corresponding theory expresses most of the relevant algebra but yet is manage- 
able and hopefully decidable. He proved that the extension of the elementary 
theory of ordered abelian groups with quantification over so-called convex sub- 
groups, even though it is much richer than the elementary theory and expresses 
virtually all known algebra of ordered abelian groups, is not only decidable [25], 
but allows the elimination of the elementary quantifiers. When in 1973, via 
Krasnodar (71-72) and Tbilisi (Georgia, 72-73), Gurevich emigrated to Israel 
(Beer Sheva, 74-82), he met Saharon Shelah, studied Shelah’s seminal paper on 
the theory of order (Annals of Mathematics, 1975), and solved in [26, 27] most 
of its numerous conjectures, which led to a still ongoing fruitful collaboration 
between the two logicians (see the survey [64]). 

For Hilbert’s Entscheidungsprohlem, one of the major themes of mathematical 
logic in the twentieth century, Gurevich [6] resolved the most difficult of the 

^ The numbers in brackets refer to the Annotated Publication List at 
http://research.microsoft.com/'gurevich/, except where marked by reference below. 
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IX 



prefix-predicate classes and thereby completed the prefix-predicate classification 
of the fragments of the restricted predicate calculus as decidable or undecidable. 
He found a general explanation of the classifiability phenomenon [13], confirmed 
it for the classification of fragments with function symbols [18], and conjectured 
the classification of fragments with equality and at least one function symbol, 
one of the most difficult problems in the area which was later proved by Saharon 
Shelah. Details can be found in [2] (reference below). 

The year 1982, when the University of Michigan appointed Gurevich, marks 
the beginning of his commitment to computer science and of his close collab- 
oration with Andreas Blass from the mathematics department there. Gurevich 
shaped the two emerging fields of finite model theory and of average case com- 
plexity. It started with his first talk to a computer science conference [41], where 
Gurevich saw Moshe Vardi applying the definability theorem of first-order logic 
to databases, which were assumed to be possibly infinite - and immediately wor- 
ried whether such classical theorems would remain valid if only finite databases 
were allowed. The answer turned out to be negative [60], the counter-example 
to Lyndon’s interpolation theorem [72] gave a uniform sequence of constant- 
depth polynomial-size (functionally) monotone boolean circuits not equivalent 
to any (however nonuniform) sequence of constant-depth polynomial-size posi- 
tive boolean circuits. Other landmark contributions to finite model theory are 
the characterization of primitive recursive (resp. recursive) functions over finite 
structures as log-space (resp. polynomial time) computable [51], the characteriza- 
tion of the inflationary fixed-point extension of first-order logic as equi-expressive 
with its least fixed-point extension on finite structures [70], the boundedness of 
every first-order expressible datalog query [83], etc. 

Gurevich’s contributions to complexity theory are no less important. He 
solved special but important cases of NP-hard problems [54], on time-space 
trade-offs [87], on linear time [82], and critically analyzed some non-traditional 
approaches [81,80], but above all we see Gurevich work here on average case com- 
plexity, side by side with Leonid Levin. An NP-hard problem, when equipped 
with a probability distribution, may become easy. For example, for random 
graphs with n vertices and a fixed edge probability, the algorithm of [71] solves 
the Hamiltonian Gircuit Problem in average time 0(n). In 1984, Leonid Levin 
generalized the NP-completeness theory to such distributional (DNP) problems 
and constructed one DNP problem that was hard in the average case. [76] pro- 
vides new hard cases and shows that Levin’s original deterministic reductions are 
inadequate, which led Levin and Venkatesan to define more powerful random- 
izing reductions. [88,93,94,96,97] contains pioneering work towards establishing 
the average-case intractability of important problems. 

Reconsidering Turing’s thesis and the fundamental problem of semantics of 
programming languages led Gurevich to his epochal concept of Abstract State 
Machines [74,92,103,141]. It has already triggered hundreds of publications, in 
finite model theory [109,120,135], in complexity theory [118,121], and in numer- 
ous areas of applied computer science, e.g. programming languages, protocols, 
architectures, and embedded control software (see the survey in [1] (reference 




X 



Egon Borger 



below) and [77,89,98,106,107,111,116,117,119,121,122,137-140]); even more im- 
portantly it is changing the way we think about high-level software design and 
analysis. In this extraordinarily rich, deep, and wide ranging life in research, 
all the strands are woven together. By investing that wealth into building and 
leading the Foundations of Software Engineering group at Microsoft Research 
(since August 1998), Gurevich professes his conviction that there is nothing more 
practical than a good theory. 
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Abstract. The reserve of a state of an abstract state machine was de- 
fined to be a “naked set” . In applications, it may be convenient to have 
tuples, sets, lists, arrays, etc. defined ahead of time on all elements, in- 
cluding the reserve elements. We generalize the notion of reserve appro- 
priately. As an application, we solve a foundational problem in Gandy’s 
formalization of mechanical devices. 



Part 1 

Introduction and Preliminaries 

1 Introduction 

In this paper, we address two closely related foundational issues. We encoun- 
tered these issues in connection with the notion of “reserve” in abstract state 
machines (ASMs), but they are of somewhat broader relevance, for example 
to the computing mechanisms described in [Gandy 1980]. In this introduction, 
we shall discuss these issues in general terms, specializing later to the cases of 
primary interest. 

Algorithms often need to increase their working space, and there are two ways 
to view this increase. One is that the additional space was really there all along 
but was not previously used; the other is that genuinely new space is created. 
For example, from the first viewpoint, a Turing machine has an infinite tape, 
only finitely much of which is in use at any stage of the computation. From 
the second viewpoint, a Turing machine’s tape is finite but new squares can be 
appended to it as needed. 

For foundational purposes, it is usually more convenient to adopt the first view- 
point, so as not to have to worry about the nature of newly created elements. In 

* Preparation of this paper was partially supported by a grant from Microsoft Corpo- 
ration. 
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particular, ASMs have, by definition [Gurevich 1995], an infinite reserve which is 
a part of the base set. All the basic functions and relations except equality take 
only their default values if at least one of the arguments belongs to the reserve, 
and no basic function outputs a reserve element. When a new element is needed 
in the active part of the state, one is imported from the reserve. 

Although the reserve has no internal structure (except equality), it is often de- 
sirable to have some external structure over it. For example, in [BGS 1999] every 
state was required to include all the hereditarily finite sets over its atoms. This 
means that finite sets of reserve elements (and finite sets of these, etc.) were 
present, with their membership relation. Thus, when a reserve element is im- 
ported, sets involving it already exist and do not need to be created separately 
(by importing additional elements and appropriately defining the membership 
relation on them). Similarly, one might want to have other sorts of structure 
already available, for example lists or arrays of reserve elements. 

The first issue treated in this paper is to make precise the notion of a sort of 
structure (like sets, or lists, or arrays) that can exist above a set of atoms without 
putting any structure (except equality) on the atoms themselves. We formalize 
this in the notion of a background class of structures. Thus, for example, the 
background class relevant to [BGS 1999] would consist of structures of the form: 
set U of atoms plus all hereditarily finite sets over U (as well as isomorphic 
copies of such structures). The idea is that such a class of structures specifies 
the constructions (like finite sets) available as “background” for algorithms. 

The second issue is the choice of elements to be imported from the reserve. If the 
importation is to be algorithmic, it must be non-deterministic, since an algorithm 
has no way to distinguish one reserve element from another. But this sort of non- 
determinism is intuitively much more benign than general non-determinism. We 
attempt to capture what accounts for this intuition, by introducing the notion of 
inessential non-determinism. The idea here is that the various options allowed by 
the non-determinism all lead to isomorphic states, so that it makes no difference 
which option is chosen. 

Alternatively, one could insist on determinism, specifying a particular one of the 
available reserve elements to be imported. This is the approach used in [Gandy 
1980]. The price of this insistence is that the specification cannot be algorith- 
mic or even canonical. We shall show how to turn a Gandy-style deterministic, 
non-algorithmic process into a non-deterministic algorithm of the sort described 
above, and we shall prove that Gandy’s notion of “structural” for his processes 
corresponds to our notion of “inessential non-determinism.” 



2 Structures 

The notion of (first-order) structure is found in textbooks on mathematical logic; 
for example see [Enderton 1972]. We use a slight modification of the notion of 
classical structures [Gurevich 1991]. 
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2.1 Syntax 

A vocabulary is a finite collection of function names, each of a fixed arity. Some 
function names may be marked as relational. Every vocabulary contains the 
equality sign, the nullary names true, false, undef, the unary name Boole, 
and the names of the usual Boolean operations. With the exception of undef, 
all these logic names are relational. A function name can be marked (by the 
vocabulary) as static. 

Terms (more exactly ground terms; by default, terms are ground in this article) 
are defined by the usual induction. A nullary function name is a term. If / is a 
function name of positive arity j and if ti,.. . ,tj are terms, then f{ti, . . . ,tj) is 
a term. If the outermost function name is relational, then the term is Boolean. 



2.2 Semantics 

A structure X of vocabulary T is a nonempty set S (the base set of X) together 
with interpretations of the function names in T over S. Elements of S are also 
called elements of A. A j-ary function name is interpreted as a function from 
to S, a basic function of X. We identify a nullary function with its value. 
Thus, in the context of a given structure, true means a particular element, 
namely the interpretation of the name true; the same applies to false and 
undef. It is required that true be distinct from the interpretations of the names 
false and undef. The interpretation of a j-ary relation i? is a function from 
to {true, false}, a basic relation of X. The equality sign is interpreted as 
the identity relation on the base set. Think about a basic relation R as the set 
of tuples d such that R{d) = true. If relation R is unary it can be viewed as 
a universe. Boole is (interpreted as) the universe {true, false}. The Boolean 
operations behave in the usual way on Boole and produce false if at least one 
of the arguments is not Boolean, undef allows us to represent intuitively-partial 
functions as total. 

The domain of a non-relational j-ary basic function / is the set of j-tuples d 
such that /(a) yf undef. The range of / is the set of elements /(d) different from 
undef where d ranges over all j-tuples of elements of the base set. 

A straightforward induction gives the value Val{t,X) of a term t in a structure 
X whose vocabulary includes that of t. If Val{t,X) = Val{t',X), we may say 
that t = t' in X . If t = true (resp. t = false) in X, we may say that t holds or 
is true (resp. fails or is false) in X. 



3 Sequential-Time and Abstract-State Postulates 

Restrict attention to one-thread algorithms. (In the terminology of [Gurevich 
1995], this means that we allow parallel algorithms but not independent agents.) 
Following [Gurevich 2000], we make the following assumptions. 
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Sequential Time 

Postulate 1 (Deterministic Sequential Time) Every deterministic algo- 
rithm A is associated with 

— a set 5(T) whose elements will be called states of A, 

— a subset X{A) of 5(4l) whose elements will be called initial states of A, and 

— a map ta ■ 5(A) — 5(A) that will be called the one-step transformation 
of A. 



Postulate 2 (Nondeterministic Sequential Time) Every nondeterministic 
algorithm A is associated with 

— a set 5(A) whose elements will be called states of A, 

— a subset T(A) of 5(A) whose elements will be called initial states of A, and 

— a relation ta Q 5(A) x 5(A) that will be called the one-step transformation 
of A. 



Abstract State 

Postulate 3 (Deterministic Abstract State) Let A be an arbitrary deter- 
ministic algorithm. 

— States of A are first-order structures. 

— All states of A have the same vocabulary. 

— The one-step transformation ta does not change the base set of any state. 
Nor does it change the interpretations of static basic functions. 

— 5(A) and T(A) are closed under isomorphisms. Further, any isomorphism 
from a state X onto a state Y is also an isomorphism from ta{X) onto 
ta{Y). 



Postulate 4 (Nondeterministic Abstract State) Let A be an arbitrary 
nondeterministic algorithm. 

— States of A are first-order structures. 

— All states of A have the same vocabulary. 

— If {X, X') G Ta then X and X' have the same base set and the same basic 
static functions. 

— 5(A) and T(A) are closed under isomorphisms. Further, let f be an isomor- 
phism from a state X onto a state Y. For every state X' with (A, X') G ta, 
there is a state Y' with (Y, Y') G ta such that C is an isomorphism from X' 
onto Y'. 

Notation. r[A] ^ ta- Notation r[A] is more convenient when the algorithm name 
is complex. 
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Lemma 3.1 (Symmetry Preservation) Suppose that A is a deterministic al- 
gorithm and let X G 5(A). Every automorphism of X is also an automorphism 
0fTA{X). 



Proof This is the last part of the deterministic abstract-state postulate applied 
to the special case that X = Y. □ 



3.1 Hereditarily Finite Sets 

We recall a couple of set-theoretic notions. 

A set X is transitive if it contains all elements of its elements: if z G y G x then 
z € X. The transitive closure TC(x) of a set x is the least transitive set that 
includes x. A set x is hereditarily finite if TC(x) is finite. 

A set X may contain elements which are not sets; these are called atoms. The 
collection of atoms in TC(x) is the atomic support of x. Following Gandy [1980], 
the atomic support of a set x will be denoted Sup(x). 

Let [/ be a set of atoms. The collection HF([7) of hereditarily finite sets over U 
is the collection of all hereditarily finite sets x with Sup(x) C U. It is easy to see 
that HF(C/) is the least set S such that every finite subset of C/U S' is an element 
of S. 

Corollary 3.2 Consider a family {Ui : i € 1} of subsets of U . We have 



Proof By definition of HF and of intersection, a set x belongs to HF([/i) if 
and only if Sup(x) C Ui for each i. But this is the same as saying Sup(x) C P| . Ui, 

which is the definition of x belonging to HF ^ U^ . □ 

Part 2 

Background Classes and Reserve 

4 Background Classes 

4.1 Preliminaries 

In this section, every vocabulary contains a unary predicate Atomic. We call 
this predicate and the logical symbols obligatory and all other symbols non- 
obligatory. If A ^ Atomic(x), call x an atom of X. The set of atoms of X will 
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be denoted Atoms(AT). X is explicitly atom- generated if the smallest substructure 
of X that includes all atoms is X itself. 

Given two structures X, Y of the same vocabulary, we write X <Y to indicate 
that A is a substructure of Y. If A <Y and X belongs to a class K of structures 
then A is a K -substructure of Y. 



4.2 Main Definitions 

Definition 4.1 A class K of structures of a fixed vocabulary is a background 
class if the following requirements BC0-BC3 are satisfied. 

BCO K is closed under isomorphisms. 

BCl For every set U, there is a structure X G K with Atoms(A) = U. 

BC2 For all X,Y G K and every embedding (of sets) C : Atoms(A) — >■ Atoms(Y), 
there is a unique embedding (of structures) rj of X into Y that extends C. 
BC3 For all X G K and every x G Base(X), there is a smallest AT-substructure 
Y of X that contains x. 

Definition 4.2 Suppose that AT is a background class, X G K, S C Base(A), 
and F is the set of substructures Y < X such that Y belongs to AT and includes 
S. If F has a smallest member Y then Y is called the envelope Ex{S) of S in 
X and Atoms(Y) is called the support Supj(-(S') of S in X. 

Notice that the smallest background substructure of X that contains a particular 
element a; G A is Ex{{x}). It is tempting to simplify the notation by writing 
simply Ex{x), but this can lead to ambiguity if x is both an element and a 
subset of X. 

BC3 asserts that, in a background structure, every singleton subset has an en- 
velope. 

Definition 4.3 A background class K is Unitary if, in every background struc- 
ture, the support of every singleton set is finite. 



4.3 Analysis 

Let AT be a background class. Members of AT are background structures, K- 
substructures are background substructures. 

Lemma 4.4 In BC2, if f is onto then p is onto as well. 

Proof Suppose that f is onto. By BC2 (existence), extends to an embed- 
ding 6 : Y ^ X. The identity map f o : Atoms(Y) — >■ Atoms(Y) extends to 
rj o 9 : Y -G Y. By BC2 (uniqueness), rj o 9 is the identity map on Y. It follows 
that 77 is onto. □ 
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Lemma 4.5 Suppose Z is a background structure, X, Y are background sub- 
structures of Z , U = Atoms(X) and V = Atoms(Y). 

k- If U Q V then the identity on X is the unique embedding of X into Y that 
is the identity on U . 

2. IfU CV then X <Y. 



Proof 

1. Suppose that U C V and let C be the identity on U and thus an embedding 
of U into V. By BC2 (existence), there is an extension of ( to an embedding rj 
of X into Y and therefore into Z. The identity 0 on X is another extension of f 
that is an embedding of X into Z. By BC2 (uniqueness), rj = 9. 

2. follows from 1. □ 



Lemma 4.6 In a background structure X , every set U of atoms has an envelope. 



Proof By BCl, there is a background structure Y with Atoms(L) = U. Let 
C be the identity map on U. By BC2 (existence), c) extends to an embedding 
r] : Y ^ X. Let Z be the range of rj. Clearly, Atoms(Z) = U. By BCO, Z is a 
background structure and thus a background substructure of X. 

By Lemma is included in every background substructure of X that in- 

cludes U. This means that Z = E(U). □ 

It follows that {a} has an envelope for every atom a. This is weaker than BC3 
which asserts that, in a background structure, every singleton subset has an 
envelope. Until now we used only BC0-BC2. BC3 does not follow from BCO- 
BC2, as the following example shows. 

Example 4.7 Let K be the class of structures X satisfying the following con- 
ditions. The logic elements true, false, and undef are distinct. If Atoms(A) is 
empty then X contains no non-logic elements. Otherwise the non-logic part of 
X consists of atoms and exactly one non-atomic element. It is easy to see that 
this class K satisfies BC0-BC2. However, if X has more than one atom and x is 
the unique non-logic non-atomic element, then {x} does not have an envelope. 



Lemma 4.8 Every background class has the following property. 

BC3' In a background structure X , every S C Base{X) has an envelope. 
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Proof Let U ^ |J{Sup({a:}) : x G 5}. By Lemma ^21 U has an envelope 
E{U). We show that E{U) is also the envelope of S. 

S C E{U). Indeed, for all x G S, Atoms(i?({a;})) = Sup({cc}) C [7 so that, by 
LemmaEni ^'({ 2 ;}) < E(U). 

E{U) is the smallest iG-substructure of X that includes S. Indeed, let Z be any 
iL-substructure of X that includes S. For every x G S, Z includes E{{x}) and 
therefore includes Sup({a;}) = Atoms(if({a;})). Hence Z includes U. Hence Z 
includes E{U). □ 



Lemma 4.9 Every background class has the following property. 

BC3" For all X G K, the intersection of any family of K -substructures of X is 
a K -substructure of X. 



Proof Let F be a family of F-substructures of X. We prove that the substruc- 
ture p|F is a background structure. Let U = p|{Atoms(F) : Y G F}. It suffices 
to prove that H 

E{U) < n Indeed, by the definition of E{U), E{JJ)) < Y for all Y G E. 

p|F < E{U). Indeed let x be an element of Every Y G F contains x, 
therefore includes E{{x}), and therefore includes Atoms(F({x})). It follows that 
Atoms(F({a:})) C U. By Lemma^Sl E{{x}) < E{U) and therefore E(U) con- 
tains X. □ 

This proof gives rise to the following corollary. 

Corollary 4.10 Assume that X is a background structure and let 
Ui C Atoms(X) for all i G I . Then 

f|F(C/,) = F(f|C/,) 



Lemma 4.11 In Definition o BC3 can be replaced with BC3” . 

Proof Assume BC3" and let X G K. Given an element x of X, let F be the 
collection of F-substructures Y of A such that Y contains x. By BC3", p|F 
is a F-substructure of X. Clearly, it is the smallest F-substructure of X that 
contains x. □ 

Remark 4.12 The definition of background classes has a simple category-theory 
version. Consider two categories: 

T-Str The category of structures for a vocabulary T, with embeddings as mor- 
phisms. 
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Set The category of sets, also with embeddings (i.e., one to one maps) as mor- 
phisms. 

Of course Set is just the special case of T-Str, where the vocabulary T is empty. 
But we’re interested in the case where T contains at least the unary predicate 
symbol Atomic. This symbol gives rise to a functor T from T-Str to Set. The 
functor sends each T-structure to its set of atoms; on morphisms it acts by 
restriction. Now a background class is a full subcategory C of T-Str that is 
closed under isomorphisms and under intersections and such that the functor T 
when restricted to C is an equivalence of categories C and Set. 

Here “full subcategory” means a subclass of the objects, with all of the T-Str 
morphisms between them. And “closed under intersections” should be taken 
in the category-theoretic sense. In set-theoretic terminology, this means that, 
given a structure in C and some substructures, also in C, then their intersection 
should also be in C. One needs the single superstructure to make sense of the 
intersection. 



Lemma 4.13 Suppose that X is a background structure. For every permutation 
TT of Atoms{X) there is a unique extension of it to an automorphism of X. 



Proof Use BC2 and Lemma f4. 41 □ 



5 Examples of Background Classes 

In this section we shall describe some specific background classes. Some of these 
were the motivation for the general definition of background class. 

Recall that the non-obligatory part of a vocabulary is the part that is obtained 
by removing all logic names as well as the name Atomic. 



5.1 Set Background 

Up to isomorphism, the non-logic part of a background structure X with atoms U 
consists of the hereditarily finite sets over U. (See Part 1 about the hereditarily 
finite sets.) The only non-obligatory basic function of X is the containment 
relation G. For future reference, this background class will be called the set- 
background class SB. 

There are other versions of set backgrounds. The vocabulary of SB can be en- 
riched in various ways. We consider two ways to do that. 

1. The additional basic functions are 0, Singleton(a;) = {a;}, and 

T,. TT . / N ^ r X U u if both X and y are sets 
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The resulting background class is explicitly atom-generated. 

2. The additional basic functions are as in [BGS 1999]: 0, Pair(x,?/) ^ {x,y} 
and 

UnaryUnion(x) ^ if a; is a set 

^ ^ \0 otherwise 

TheUnique(x) ^ I “ singleton {a} 

0 otherwise 

Again the resulting background class is explicitly atom-generated. 

5.2 String Background 

The set of non-logic elements of a background structure with atoms U is the set 
of strings of elements of U . Let the vocabulary contain symbols for the nullary 
function Nil (the empty string), the unary function sending a member of U to 
the one-term string containing it, and the binary operation of concatenation 
of strings. Then this background class is explicitly atom-generated. If desired, 
one can introduce additional basic functions Head(a;) and Tail(a;) defined by 
induction on x. If x is the empty string Nil then Head(cc) ^ Tail(a;) ^ Nil. If 
X = ay where a is an atom, then Head(x) ^ a and Tail(a:) ^ y. 



5.3 List Background 

Up to isomorphism, the non-logic part of a backgound structure X with atoms 
U consist of the lists over U. The terms in the lists can be elements of U or other 
lists. (So lists differ from the strings in the preceding example in that nesting is 
allowed.) The non-logic basic functions are Nil and Append. Nil desginates the 
empty list. Given an atom or a list x and given a list (j/i, . . . , y„), Append(x, y) ^ 
{x,yi, . . . , yn)- Every list has a unique presentation. As above, this allows us to 
introduce additional basic functions Head(x) and Tail(a;) where x ranges over 
lists. In either version, this background class is explicitly atom-generated. 



5.4 Set/List Background 

Up to isomorphism, the set of non-logic elements of a background structure with 
atoms U is the least set V such that 

- u cv, 

— for every natural number n, ii x\, ... ,Xn € V then {x\, . . . , Xn} G V and 

{xi, ...,Xn}eV. 

Here we do not adopt any of the codings of lists as sets; we regards sets and lists 
as independent basic constructions. 

We leave the choice of the vocabulary to the reader. 
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5.5 A Non-finitary Background 

All example background classes above are Unitary. To obtain a non-finitary back- 
ground class, modify the string-background class by allowing infinite strings. 



6 Background Structures and the Reserve 

Fix a background class BC. Call the vocabulary Tq of BC the background vo- 
cabulary, function names in Tq the background function names, and members of 
BC background structures. 

Definition 6.1 Let A be an algorithm, deterministic or nondeterministic. BC 
is the background of A if the following conditions are satisfied. 

• The vocabulary T of A includes the background vocabulary Tq, and every 
background function name is static in T. 

• For every state X of A, the 7o-reduct of X (obtained by “forgetting” the basic 
functions with names in T — Tq) is a background structure. □ 

Fix a (deterministic or nondeterministic) algorithm A with background BC, and 
let T be the vocabulary of A. The basic functions of A with names in Tq will be 
called the background basic functions of A; the other basic functions of A will be 
called the foreground basic functions of A. 

Definition 6.2 Let A be a state of A. An element x G Base(A) is exposed if 
X belongs to the range of a foreground function or else x occurs in a tuple that 
belongs to the domain of a foreground function. □ 

Recall the property BC3' of background classes: for every background structure 
X, every subset of Base(A) has an envelope in X. 

Definition 6.3 The active part of a state X of the algorithm A is the envelope 
of the set of exposed elements; we denote it by Active(A). The reserve of X is 
the set of atoms of X that do not belong to the active part. 

Lemma 6.4 Every permutation of the reserve of X gives rise to a unique au- 
tomorphism of X that is the identity on the active part of X. 

Proof Let tt be a permutation of the reserve of X. Set 7r(a) ^ a for all atoms 
a in the active part of A; the extended permutation will be also called tt. By 
Tjemma, l4. 1 31 there is a unique automorphism 9 of the To-r^duct of A that extends 
7T. By definition of active part, any such automorphism that is the identity on 
the active part is necessarily an automorphism of the full T-structure A. □ 

We remark for future reference that any isomorphism X = Y between states of 
A maps Active(A) isomorphically onto Active(A). 
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7 Inessential Nondeterminism 

The symmetry preservation Lemma inspires the following definition. 

Definition 7.1 Suppose that A is a nondeterministic algorithm with back- 
ground BC. A is essentially deterministic (or inessentially nondeterministic) 
if the following holds for all states X of A. If {X, X') and {X, X") belong to ta 
then there is an isomorphism from X' onto X" that coincides with the identity 
on Active (X). 



Corollary 7.2 Suppose that A is an inessentially nondeterministic algorithm 
with background BC. Let {X,X') G ta, (Y,Y') G ta, C ^6 isomorphism from 
X onto Y, and Co the restriction off to Active{X). Then Co extends to an 
isomorphism from X' onto Y' . 



Proof By Postulate 4 (Nondeterministic Abstract State), C is an isomorphism 
from X' to some state Y" with (Y, Y") G ta- Since A is inessentially nondeter- 
ministic, there is an isomorphism d : Y" = Y that coincides with the identity on 
Active(Y), which equals C(Active(X)) by the remark at the end of the last sec- 
tion. Then Qof is an isomorphism from X' to Y' and agrees with C on Active(X), 
i.e., it extends Co- 

Part 3 

Nondeterministic Choice Problem 
for Gandy Machines 

8 Gandy Machines 

Following Gandy [1980], fix an infinite countable set U of atoms. Recall that 
HF({7) is the collection of hereditarily finite sets over U (see Part 1). Let Q be 
the structure 

(GUHF(17),G,17) 

Every permutation tt of 17 naturally extends to an automorphism of Q as follows: 
if a; G HF(17) then ttx ^ {rry : y G x}. It is easy to see that every automorphism 
of G is obtained this way. 

A subset S of HF(17) is structural if it is closed under automorphisms of Q. 
In other words, S is structural if and only if, for every x € S and for every 
permutation tt of U, we have ttx G S. The following definition plays an important 
role in this part. 
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Definition 8.1 Let S' be a structural subset of HF([7). A function F : S — >■ 
HF(C/) is structural if, for every x € S and for every permutation tt of U, 
there is a permutation p of U that pointwise fixes Sup({7rx}) and such that 
pirFx = Fttx. 



Gandy defined only structural functions over HF([7) but used structural func- 
tions over arbitrary structural subsets of HF([/). The following lemma clarifies 
the issue of structural functions over HF(C/) vs. structural functions over struc- 
tural subsets of HF([/). 

Lemma 8.2 

1. A structural function F over a structural set S extends to a structural function 
over HF{U). 

2. Suppose that F is a structural function over HF{U) and let S he a structural 
subset of HF{U). Then the restriction FjF of F to S is a structural function 
over S. 



Proof 

1. Set F{x) ^ 0 for all x G HF(C/) — S. We show that the extended function F 
is structural over HF([/). Let x G HF(C/) and tt be an arbitrary permutation of 
U. We need to prove the existence of an appropriate permutation p. If a: G S, 
then the existence of an appropriate p follows from the structurality of F over S. 
Suppose that x ^ S. By the structurality of S, ttx ^ S. Then 0 = Fx = Fttx = 
ttFx. The desired p is the identity permutation of U . 

2. Let X € S and tt be an arbitrary permutation of U. Since F is structural 
over HF(C/), there is a permutation p of U that pointwise fixes Sup({7ra;}) and 
such that pttFx = Fttx. If S contains x then it contains ttx as well because S is 
structural. It follows that ptt{F\S)x = (F|S')7ra; for all a; G S'. □ 

Now we are ready to recall the notion of Gandy machine at the level of detail 
appropriate for this paper. 



Definition 8.3 A Gandy machine M is a pair {S,F) 

— S is a structural subset of HF(C/), and 

— F is a structural function from S into S, and 

— some additional constraints are satisfied. 



Intuitively, S is the set of states of M and F is the one-step transition function. 
The additional constraints are not important for our purposes in this paper. 
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9 The Nondeterministic Choice Problem 

We start with an example Gandy machine = (S'°, F'^). is the collection of 
finite subsets of U. Obviously, 5° is structural. If a; G then F{x) ^ a: U {a} 
where a is an atom in U — x. We check that is structural as well. Suppose that 
X = {oi, . . . , ttn} G where oi, . . . , a„ are distinct. Then F^x = {ai, . . . , a„, b} 
for some atom b ^ x so that a\, . . . ,an,b are all distinct. Let tt be a permutation 
of U . Then 



TTx = {ttoi, . . . , 7ra„} 

ttF^x = {ttoi, . . . , TTOn, 7 t6} where irb ^ ttx 
F^ttx = {ttoi, . . . , nan, c} for some c ^ nx 

The desired p transposes nb and c and leaves other atoms intact. 

Thus, satisfies the part of the definition of Gandy machine that we gave 
explicitly; the reader familiar with [Gandy 1980] is invited to check that the 
“additional constraints” that we alluded to are also satisfied. 

Now consider an arbitrary Gandy machine M = (S, F) and let x G S'. Think 
about X as the current state of M, so that Fx is the next state of M. It is possible 
that SupdSx}) contains atoms that are not in Sup({x}); that certainly happens 
in the case of our example machine M^. The choice of such new atoms should 
not matter. That is why Gandy requires that F is structural. Two questions 
arise. 

1. Is the structurality of F a correct requirement? That is, does it capture the 
idea that the choice of new elements is irrelevant? 

2. Is there a better solution of this nondeterministic choice problem? 

We believe that the answer to the second question is positive. To this end we 
will propose a nondeterministic formalization of Gandy machines. The answer 
to the first question is positive as well if one sticks to deterministic machines; 
we will show that the structurality requirement is equivalent to the intuitively 
expected requirement that the nondeterministic versions of Gandy machines are 
essentially deterministic in the sense of Section El 

10 Nondeterministic (Specifications for) Gandy Machines 

Let S' be a structural subset of HF([/) and F : S — >■ S be any unary operation 
over S. Think about M = (S, F) as a machine, like a Gandy machine. Of course, 
we are primarily interested in the case when M is & Gandy machine, but for 
technical reasons we consider a more general case. We define a nondeterministic 
algorithm A, or Am, that may serve as a nondeterministic specification for M. 
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Definition 10.1 The nondeterministic specification oi M = {S,F) is the algo- 
rithm A defined as follows. 

All states of A have the same base set, namely the set U UHF(C/) extended with 
three additional elements (interpreting) true, false, undef. A has only three 
non-logic basic functions. Two of them are static: the unary relation Atomic and 
the containment relation x G y. The third basic function is a nullary dynamic 
function Core that gives the current state of M. For brevity, let Core(A) be the 
value of Core at state X and let Sup(A) ^ Sup({Core(A)}). 

The one-step transition relation ta consists of pairs (A, Y) of states of A such 
that Core(F) = F(Core(A)) or, more generally, there is a permutation tt of C/ 
that pointwise fixes Sup(A) and such that Core(y) = 7rA(Core(A))). 

To explain this definition, consider the example from the preceding sec- 
tion. Abbreviate Amo to A°. Abbreviate tao to r°. In this situation, Sup(A) = 
Core(A) for all states X of S. Fix a particular state X of A°. What are the 
states Y such that (A, Y) G r°? It is easy to see that these are exactly the state 
Y such that Sup(F) consists of the atoms in Sup(A) plus one additional atom 
a. Any atom in U — Sup(A) will do. No atom in U — Sup(A) has preferential 
treatment or is discriminated against. 

Remark 10.2 Gandy does not specify initial states of his machines. Accord- 
ingly we ignore initial states as well. 

It is easy to see that A is a nondeterministic algorithm with background SB 
described in Subsection 1,5.11 The only exposed element of a state A of A is 
Core(A). Accordingly the active part Active(A) of A is Sup(A) UHF(Sup(A)) 
plus the elements true, false, undef. Hence Reserve(A) = U — Sup(A). 

We saw that every permutation tt of C/ extends to an automorphism of the 
structure Q = {U U HF(C/), G, ff). However, tt is not necessarily an automor- 
phism of A because it can move Core(A). It is an automorphism of A if and 
only if 7r(Core(A)) = Core(A). Identify a permutation tt of Reserve(A) with 
the permutation of U which pointwise fixes Sup(A) and coincides with tt on 
Reserve (A). 

Corollary 10.3 Let (A, A) be states of A. Then (A, A) G ta if and only if there 
is an permutation tt of Reserve(X) such that CorefY) = TrF{Core{X)). 



11 Essential Determinism and Strnctnrality 

Let 5 be a structural subset of HF(17) and F be any unary operation over S. 
Further let A be the nondeterministic specification for (S,F). Abbreviate ta to 



r. 
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Theorem 11.1 The following are equivalent. 

1. A is essentially deterministic. 

2. F is structural over S. 



Proof First we assume 1 and prove 2. Let x G S and let tt be any permutation 
of U. We construct the desired p. 

Let X be the state of A with Core(AT) = x and let ttX be the state of A with 
Core(7rAT) = ttx . Since S is structural, it contains ttx and thus ttX is a legitimate 
state of A. 

View 7T as an isomorphism from X to ttX. Since A is essentially determinis- 
tic, there is an isomorphism p from t(X) to t(7tX) which coincides with tt 
on Active(V) and in particular on Sup({x}). The desired pz ^ rjTT~^z for all 
z G HF(C/). 

If na G Sup({7ra:}) then p{Tra) = r]Tr~^TTa = rja = na. Thus p is the identity on 
Sup({7Tx}). 

Since rj is an isomorphism from tX onto t{'kX), we have ryCore(rV) 
= Core(rTrV), that is rjFx = Fttx. Therefore pirFx = r]'!r~^TTFx = rjFx = Fnx. 

Second we assume 2 and prove 1. Suppose that (X,Y) and (X,Z) belong to r. 
We need to prove that there is an isomorphism from Y onto Z that pointwise 
fixes Active (V). 

Without loss of generality Core(V) = F(Core(A)). Indeed, suppose that 2 is 
proved in this special case. Now consider the general case, and let X' be the 
state of A with Core(A') = F(Core(A)). By the special case of 2, there is an 
isomorphism f from X' onto Y that pointwise fixes Active(A). Similarly, there 
is an isomorphism rj from X' onto Z that pointwise fixes Active(A). Then r]oif~^ 
is an automorphism from Y onto Z that pointwise fixes Active(A). 

Let X ^ Core{X),y ^ Core(F) and z ^ Core(Z). We have y = Fx. Since 
{X, Z) G T, there exists a permutation n of U that pointwise fixes Sup({a:}) and 
such that z = ttFx. Since F is structural, there exists a permutation p of U 
that pointwise fixes Sup({7rx}) and such that pirFx = Fttx. Since tt pointwise 
fixes Sup({a:}), we have ttx = x so that p pointwise fixes Sup({a:}) (and there- 
fore pointwise fixes Active(A)) and pz = pnFx = Fttx = Fx = y. Then p~^ 
pointwise fixes Active(A) and takes y to z. □ 
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1 Introduction 

This paper is a sequel to |2|, a commentary on Q, and an abridged version of 
a planned paper that will contain complete proofs of all the results presented 
here. 

The BGS model of computation was defined in |5| with the intention of model- 
ing computation with arbitrary finite relational structures as inputs, with essen- 
tially arbitrary data structures, with parallelism, but without arbitrary choices. 
In the absence of any resource bounds, the lack of arbitrary choices makes no 
difference, because an algorithm could take advantage of parallelism to produce 
all possible linear orderings of its input and then use each of these orderings 
to make whatever choices are needed. But if we require the total computation 
time (summed over all parallel subprocesses) to be polynomially bounded, then 
there isn’t time to construct all the linear orderings, and so the inability to make 
arbitrary choices really matters. 

In fact, it was shown that choiceless polynomial time GPTime, the complex- 
ity class defined by BGS programs subject to a polynomial time bound, does 
not contain the parity problem: Given a set, determine whether its cardinality 
is even. Several similar results were proved, all depending on symmetry consid- 
erations, i.e., on automorphisms of the input structure. 

Subsequently, Shelah proved a zero-one law for GPTime properties of 
graphs. We shall state this law and discuss its proof later in this paper. For now, 
let us just mention a crucial difference from the earlier results in |2|: Almost 
all finite graphs have no non-trivial automorphisms, so symmetry considerations 
cannot be applied to them. Shelah’s proof therefore depends on a more subtle 
concept of partial symmetry, which we explain in Section 0below. 

Finding the proof in (an early version of) |2| difficult to follow, we worked 
out a presentation of the argument for the main case, which we hope will be 
helpful for others interested in Shelah’s ideas. We also added some related results, 
indicating the need for certain aspects of the proof and clarifying some of the 
concepts involved in it. Unfortunately, this material is not yet fully written up. 

* Preparation of this paper was partially supported by a grant from Microsoft Corpo- 
ration. 
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The part already written, however, exceeds the space available to us in the 
present volume. We therefore present here an abridged version of that paper 
and promise to make the complete version available soon. 

For simplicity, we shall often deal only with input structures that are undi- 
rected, loopless graphs, i.e., sets equipped with a symmetric, irreflexive binary 
relation of adjacency. We also restrict our attention to the uniform probability 
model. That is, we define the probability of a property (assumed isomorphism- 
invariant) of n- vertex graphs by considering all graphs with vertex set {1, 2, . . ., n} 
to be equally probable. The asymptotic probability of a property of graphs is de- 
fined as the limit, as n — > oo, of its probability among n- vertex graphs. In general, 
a zero-one law says that properties have asymptotic probability 0 or 1, but, as 
we shall see, some care is needed in formulating the zero-one law for CPTime. 

All the results discussed in this paper can be routinely extended to other con- 
texts, such as directed graphs, or sets with several relations, including relations 
of more than two arguments. It is also routine to replace the uniform probability 
measure by one where all potential edges have probability p, a constant other 
than i. We do not discuss these generalizations further, because they complicate 
the notation without contributing any new ideas. 



2 The Zero-One Law 

We start with a very brief description of the BGS model of computation, just 
adequate to formulate the zero-one law. In Section Q we shall give more details 
about the model, in preparation for a description of its proof. 

The BGS model, introduced in |2|, is a version of the abstract state machine 
(ASM) paradigm 0 . The input to a computation is a finite relational structure 
I. A state of the computation is a structure whose domain is HF(/), which 
consists of the domain of / together with all hereditarily finite sets over it; the 
structure has the relations of I, some set-theoretical apparatus (for example 
the membership relation g), and some dynamic functions. The computation 
proceeds in stages, always modifying the dynamic functions in accordance with 
the program of the computation. The dynamic functions are initially constant 
with value 0 and they change at only finitely many arguments at each step. So, 
although HF(/) is infinite, only a finite part of it is involved in the computation at 
any stage. The computation ends when and if a specific dynamic 0-ary function 
Halt acquires the value true, and the result of the computation is then the value 
of another dynamic 0-ary function Output. 

This model was used to define choiceless polynomial time GPTime by requir- 
ing a computation to take only polynomially many (relative to the size of the 
input structure I) steps and to have only polynomially many active elements. 
(Roughly speaking, an element of HF(J) is active if it participates in the up- 
dating of some dynamic function at some stage.) Also, Output was restricted to 
have Boolean values, so the result of a computation could only be true, or false, 
or undecided. (The “undecided” situation arises if the computation exhausts the 
allowed number of steps or the allowed number of active elements without Halt 
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becoming true.) We shall use the name polynomial time BGS program to refer 
to a BGS program, with Boolean Output, together with polynomial bounds on 
the number of steps and the number of active elements. 

Two classes /Co and /Ci of graphs are CFTime-separable if there is a polyno- 
mial time BGS program U such that, for all input structures from /Co (resp. /Ci), 
n halts with output false (resp. true) without exceeding the polynomial 
bounds. It doesn’t matter what II does when the input is in neither /Cq nor 
/Cl. 

Theorem 1 (Shelah’s Zero-One Law) If /Cq and /Ci are CPTime-separahle 
classes of undirected graphs, then at least one of /Cq and fCi has asymptotic 
probability zero. 

An equivalent formulation of this is that, for any given polynomial time 
BGS program, either almost all graphs produce output true or undecided or else 
almost all graphs produce output false or undecided. It is tempting to assert the 
stronger claim that either almost all graphs produce true, or almost all produce 
false, or almost all produce undecided. Unfortunately, this stronger claim is false; 
a counterexample will be given after we review the definition of BGS programs 
in Section 0 

The theorem was, however, strengthened considerably in another direction 
in 0. It turns out that the number of steps in a halting computation is almost 
independent of the input. 

Theorem 2 Let a BGS program II with Boolean output and a polynomial bound 
for the number of active elements be given. There exist a number m, an output 
value V, and a class C of undirected graphs, such thatC has asymptotic probability 
one and such that, for each input I G C, one of the two following alternatives 
holds. Either U on input I halts after exactly m steps with output value v and 
without exceeding the given bound on active elements, or 77 on input I exceeds 
the bound on active elements by step m. 

Notice that this theorem does not assume a polynomial bound on the num- 
ber of steps. It is part of the conclusion that the number of steps is not only 
polynomially bounded but constant as long as the input is in C and the number 
of active elements obeys its bound. 

Intuitively, bounding the number of active elements, without bounding the 
number of computation steps, amounts to a restriction on space, rather than 
time. Thus, Theorem|2|can be viewed as a zero-one law for choiceless polynomial 
space computation. 

The class C in the theorem actually has a fairly simple description; it consists 
of the graphs that have at least n\ nodes and satisfy the strong extension axioms 
to be defined in Section 0 below for up to ri 2 variables. The parameters n\ 
and ri 2 in this definition can be easily computed when the program 77 and the 
polynomial bound on the number of active elements are specified. 
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3 BGS Programs 

In this section, we review the syntax and semantics of BGS programs, as well 
as the concept of active elements. These are the ingredients used in defining 
CPTime in 0. 

We identify the truth values false and true with the sets 0 = 0 and 1 = {0}, 
respectively. Thus, relations can be regarded as functions taking values in {0, 1}. 

Definition 3 Our function symbols are 

— the logical symbols, namely = and the connectives A, V, — O, true, 
and false, 

— the set-theoretic function symbols G, 0, Atoms, [J, TheUnique, and Pair, 

— the input predicate symbol A, and 

— finitely many dynamic function symbols. 

The intended interpretation of IJ x, where a; is a family of sets and atoms, 
is the union of the sets in x (ignoring the atoms). If a: is a set with exactly 
one member then TheUnique(a;) is that member. Pair(a;,?/) means {x,y}. The 
input predicate A denotes the adjacency relation of the input graph. The in- 
tended meanings (and arities) of the other symbols should be clear. We adopt 
the convention that if a function is applied to an inappropriate argument (like 
(J applied to an atom or A applied to sets) then the value is 0. 

The function symbols G, A, and the logical symbols are called predicates 
because their intended values are only true and false. 

In addition to function symbols, we use a countably infinite supply of vari- 
ables and we use certain symbols introduced in the following definitions of terms 
and rules. 

Definition 4 Terms and Boolean terms are defined recursively as follows. 

— Every variable is a term. 

— If / is a j-ary function symbol and t\, . . . ,tj are terms, then /(G , . . .,tj) is 
a term. It is Boolean if / is a predicate. 

— If u is a variable, t(v) a term, r a term in which v is not free, and <p{v) a 
Boolean term, then 

{t(u) : V € r : ^{v)} 

is a term. 

The construction {t{v) : v G r : (/^(u)} binds the variable v. 

In connection with {t(y) : v G r : ip(y)}, we remark that, by exhibiting the 
variable v in t{v) and <p(y), we do not mean to imply that v must actually occur 
there, nor do we mean that other variables cannot occur there. We are merely 
indicating the places where v could occur free. The “two-colon” notation {t(v) : 
V G r : (/?(u)} is intended to be synonymous with the more familiar “one-colon” 
notation {t{v) : v G rAip{v)}. By separating the v G r part from (/?(u), we indicate 
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the computational intention that the set should be built by running through all 
members of r, testing for each one whether it satisfies (p, and collecting the 
appropriate values of t. Thus {t(w) : v € r : v € r'} and {t(v) : v € r' : v € r} are 
the same set, but produced in different ways. (Such “implementation details” 
have no bearing on the results but provide useful intuitive background for some 
of our definitions.) 

Definition 5 Rules are defined recursively as follows. 

— Skip is a rule. 

— If / is a dynamic j-ary function symbol and to,ti, . . . ,tj are terms, then 

:=to 

is a rule, called an update rule. 

— If is a Boolean term and i?o and R\ are rules, then 

if ip then i?g else Ri endif 
is a rule, called a conditional rule. 

— If u is a variable, r is a term in which v is not free, and R{v) is a rule, then 

do forall v € r, R{v) enddo 
is a rule, called a parallel combination. 

The construct do forall v G r, R{v) enddo binds the variable v. 

Convention 6 When the “else” part is Skip, we use if p then R to abbrevi- 
ate if p then R else Skip endif. We use do in parallel enddo as an 

abbreviation for 

do forall u G Pair(true, false) 
if V =true then Rq else R\ 
endif 
enddo 

The do in parallel construct applied to more than two rules means an 
iteration of the binary do in parallel . 



Definition 7 A program is a rule with no free variables. 

Convention 8 By renaming bound variables if necessary, we assume that no 
variable occurs both bound and free, and no variable is bound twice, in any term 
or rule. 

Throughout much of this paper, the context of our discussion will include a 
fixed program 77. In such situations, we adopt the following convention. 
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Convention 9 When we refer to a term or rule within 7T, we mean a specific 
occurrence of the term or rule in U . 

Since a program U has no free variables, every variable v occurring in it is 
bound exactly once, either by a term {t : u C r : tp} or by a rule do forall v C 
r, R enddo. 

Definition 10 If v is bound hy {t : v G r : 93 }, then the scope of v consists of 
the exhibited occurrence of v as well as t and tp. If v is bound by do forall v G 
r, R enddo, then the scope of v consists of its exhibited occurrence and R. In 
both cases, the range of v is r. Notice that the range of v is not in the scope of 

V. 



We shall need to know that the semantics of terms and rules can be defined 
by first-order formulas using only primitive set-theoretic notions (c and Atoms), 
the adjacency relation of the input graph, and the dynamic functions. More 
precisely, consider any particular state of one of our ASM’s. It is a structure H'^ 
with underlying set HF(I) and with interpretations for all the function symbols 
listed in Definition 0 Let H be the structure 

H={HF{I),g,I,A) 

that is like H except that among the non- logical symbols only G, Atoms, and A 
are interpreted. (In the usual terminology of mathematical logic, is a reduct 
of .) Let F[^ be the intermediate structure in which the dynamic function 
symbols are also interpreted (by the same functions as in H'^). We shall need 
to know that all essential aspects of the execution of II in the state i.e., 
the computation leading from to its sequel, can be defined in the structure 

. (It will turn out that, for every state H'^ that actually arises during the 
computation of a BGS machine, the dynamic functions will be definable in H, 
and so we could use H instead of here. See the proof of Proposition HD 
below.) 

The longer version of this paper will contain these iL^-definitions in full; here 
we give only some typical examples. To avoid having to introduce new symbols 
for a multitude of set-theoretic formulas, we adopt the notational convention 
that \ip\ means the set-theoretic formalization of the (informal) statement Lp. 

We first define \y G t\ and \y = t\ for all terms t; here y is a variable not 
free in t. Here are some typical clauses from the definition. 

— If / is a dynamic function symbol, then \y = /(ti, . . . , tj)~\ is 

3zi... 3zj /y [ 2 ;, = t,] A y = /(zi, . . . , Zj) 

\i=i 

— \y G Pair(ti,t2)l is \y = til V |"y = t2l. 

— \y G {t(u) : V G r : (^(u)}] is 




(|"u G r] A [true = A [y = t(f)]). 
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Next, we define in the semantics of rules. For each rule R and each dy- 

namic function symbol /, say of arity j, we first define a preliminary formula, 
[i? wants to set / at xi,. . .,xj to y~\, which ignores possible conflicts between 
updates. This is a formula with free variables xi, . . . ,Xj,y and any variables 
zi, . . . ,Zk free in the rule R. It holds in state of elements oi , . . . , Oj , 6, ci . . . ,Ck 

if and only if ((/, oi, . . . , Oj), 5) is in the update set of rule R{ci, . . . ,Ck) in 
state as defined in [01 . (We use the symbol / in our name for the formula 
[ii wants to set f at Xi, ... ,Xj to y~\, but / need not occur in the formula itself.) 
Typical clauses in the construction of |"i? wants to set / at a;i, . . . , to y] in- 
clude: 

— . . . , tj) := to wants to set / at Xi, . . . , Xj to y~\ is 

3 

/\[xj = t,] K\y = fol- 
iar 

— [do f orall v € r, R enddo wants to set / at xi, . . . , x^ to y~\ is 

([x G x] A [i? wants to set / at Xi, . . . ,Xj to y~\). 

A rule may want to set / at Xi,...,Xj to several values. We adopt the 

standard ASM convention that if the program 77 contains such a conflict, then all 
the dynamic functions remain unchanged. The formal definitions are as follows. 

— [77 clashes] is 

\J 3xi . . . 3xj3y3z 
f 

(77 wants to set f at x\, ..., Xj to y) A 

(77 wants to set f at x\, ... ,Xj to z) Ay ^ z. 

Of course, the arity j depends on /. 

— [77 sets / at xi, . . . , Xj to y] is 

[77 wants to set / at xi, . . . , Xj to ?/] A -■[77 clashes] . 

Finally, we define the dynamic functions for the sequel state, that is, for the 
state obtained from H'^ by executing 77 once. 

For a j-ary dynamic function /, we define 

\y = /(xi , . . . ,Xj) in the sequel] 

to be 



[77 sets f at xi, ... ,Xj to y] V 

i\y = f{xi,.--,Xj)~\ A ^3y' [77 sets / at xi,. . .,Xj to y'~\ 



The preceding definitions provide most of the proof of the following result. 
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Proposition 11 For any BGS program II , there exists a number B with the fol- 
lowing property. For each natural number m and each dynamic function symbol 
f, there is a first-order formula \y = f{xi . . . ,xj) at step m] in the vocabulary 
{€, Atoms, A} such that, for any input structure {I, A), the tuples that satisfy 
\y = f{xi . . . ,Xj) at step m] in H = {HF(I), €,I,A) constitute the graph of f 
in the state of the run of II on {I, A). Furthermore, the number of variables 
occurring in \y = f{xi . . . , Xj) at step m~\ is at most B. 

It will be important that the bound B depends only on II, not on m. To 
avoid possible confusion, we emphasize that variables can be re-used in these 
formulas; thus the same variable may be bound many times and may occur free 
as well. 

Proof. We construct the required formulas by induction on m, starting with 
\y = f{xi . . . ,Xj) at step 0], which can be taken to be \y = 0] because all 
dynamic functions are initialized to be constant with value 0. 

For the induction step from m to m -I- 1, we begin with the formula \y = 
f{xi, . . . , Xj) in the sequel] as constructed above. Then, for each dynamic func- 
tion symbol g, we replace each occurrence of a subformula [to = g(tij ■ ■ ■ 
with [to = ■ ■ ■ ,tk) at step m~\ . 

As for the bound B, it can be taken to be the maximum number of variables 
in any of the formulas \y = f{xi, . . . ,Xj) in the sequel] as / ranges over all the 
dynamic function symbols. We omit the verification of this; it is a fairly standard 
application of the idea of re-using variables. □ 

Remark 12 For the purpose of proving Theorem 0, it is important that the 
number of variables in the formulas \y = f{xi, . . . ,Xj) at step m] be bounded 
independently of m, but it is not crucial that the formulas be finite. Formulas of 
the infinitary language Lao,u would serve as well. An alternate approach to ob- 
taining such formulas is to express \y = f{xi , . . . , Xj) at step z] (with a variable 
z for the number of steps, numbers being viewed as von Neumann ordinals) in 
first-order logic with the least-fixed-point operator, and then to use the known 
translation from this logic into the infinitary, finite- variable logic (see |5|). 

This is the approach used in 0. Then, to get the corresponding formulas for 
specific m in place of z, one only has to check that each natural number m can 
be defined with a fixed number of variables, independent of m. In fact, each 
natural number can be defined with just three variables. 

We shall need a slight generalization of the notions, defined in 0 , of “critical” 
and “active” elements of a state of a BGS computation. Instead of considering 
only states, we consider pebbled states consisting of a state together with an 
assignment of values to finitely many variables. (Pebbled states are the contexts 
in which it makes sense to evaluate a term or rule.) When the relevant variables 
and their ordering are understood, we think of a pebbled state as a state plus 
a tuple of elements, {H,ai, . . . ,Oj), where Oi is the value assigned to the 
variable. For brevity, we sometimes use vector notation a for (oi, . . . , Oj). 
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Definition 13 The critical elements of a pebbled state {H, a) are 

— all the atoms and the set I of atoms, 

— the Boolean values true and false, 

— all values of dynamic functions, 

— all components of locations where dynamic functions have values other than 

0, and 

— all components of a. 

An element is active if it is in the transitive closure of some critical element. 

For ordinary (unpebbled) states, this definition differs from that in |2j only 
in that the set I of atoms is critical and therefore also active. 

We are now in a position to give the example, promised in Section El of a 
BGS program U together with polynomial bounds on the number of steps and 
the number of active elements, such that not all of the following three classes 
of graphs have asymptotic probability 0 or 1: the graphs on which II halts with 
output true (within the prescribed bounds on steps and active elements), the 
analogous class for false, and the class of graphs on which 77 fails to halt within 
the prescribed bounds. The required 77 can be taken to be 

do forall x S Atoms 

do forall y S Atoms 
do in parallel 

if A{x,y) then /(Pair(a:, j/)) := true , 

Output := true, 

Halt true 
enddo 

enddo enddo 

This program 77 only executes once before halting, so we can take the polyno- 
mial bound on the number of steps to be 2 and ignore this bound. The number of 
active elements is n -I- 3 -I- e where n and e are the numbers of vertices and edges 
in the input graph. (The active elements are the n atoms, the e two-element 
sets corresponding to edges, the two boolean values, and the set 7 of atoms.) 
In a large random graph, the expected value of e is n{n — l)/4, i.e., half the 
number of possible edges, but small fluctuations about this value are probable. 
Indeed, the asymptotic probability that e < n{n — I)/4 is 1/2. So, if we impose 
a bound of n -I- 3 -I- n(n — l)/4 on the number of active elements, then with 
asymptotic probability 1/2 our program will halt with output true, and with 
asymptotic probability 1 /2 it will fail to halt because it cannot execute its single 
computation step without activating too many elements. 



4 Outline of Proof of Zero-One Law 

We already know, from Propositional that whether a BGS program halts at a 
particular step with a particular output can be defined by a first-order sentence 
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over the structure H = (HF{I),G,I,A), with a number of variables that does 
not depend on the number of steps. A natural approach to proving Theorem 0 
would therefore be to use Ehrenfeucht-Frai'sse games and produce winning strate- 
gies for the duplicator, to show that such sentences have the same truth value 
for almost all input graphs (I, A). Unfortunately, that isn’t true; for example, 
the parity of |/| can be defined by a first-order statement over H. 

As in PI, this approach can be modified by defining a subclass S of HF{I) 
for which the duplicator has the necessary winning strategies, and then showing 
that the definitions given in Proposition m remain correct when interpreted in 
S instead of HF{I). S consists of those elements of HF{I) that have suitable 
symmetry properties. In |2j, symmetry meant invariance under enough auto- 
morphisms of the input structure. But almost all graphs have no non-trivial 
automorphisms, so a subtler approach to symmetry is needed. Shelah introduces 
a suitable class of partial automorphisms (for any given program 7T and any 
given polynomial bound on the number of active elements) and shows that it 
leads to an appropriate notion of symmetry. Here “appropriate” means that the 
symmetry requirements are restrictive enough to provide winning strategies for 
the duplicator yet are lenient enough to include all the sets actually involved in 
a computation of 77, limited by the given bound on active elements. 

The hardest part of the proof is the leniency just mentioned: The computation 
involves only symmetric sets. This will be proved by a double induction, first on 
the stages of the computation and second, within each stage, on the subterms 
and subrules of 77. That inner induction proceeds along a rather unusual ordering 
of the subterms and subrules, which we call the computational ordering. 

In this double induction, it is necessary to strengthen the induction hypothe- 
sis, to say not only that every set x involved in the computation is symmetric but 
also that all sets x' obtained from x by applying suitable partial automorphisms 
are also involved in the computation. The assumed bound on the number of ac- 
tive elements will imply a polynomial bound on the number of involved elements. 
(Not all involved elements are active, but there is a close conection between the 
two.) That means that the number of x'’s is limited, which in turn implies, via 
a highly non-trivial combinatorial lemma, that x is symmetric. 

The traditional extension axioms, as in jS], are satisfied by almost all graphs 
and are adequate to produce the duplicator’s strategies that we need, but they 
are not adequate to imply the combinatorial lemma needed in the symmetry 
proof. For this purpose, we need what we call strong extension axioms, saying 
that every possible type over a finite set is not only realized but realized by a 
large number of points. 

In the next few sections, we shall assemble the tools for the proof that have 
been mentioned here. After thus describing the proof in somewhat more detail, 
we shall add some sections about related issues. 
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5 Tasks and Their Computational Order 

To compute the value of a term or the update set of a rule, one needs a structure 
(the state of the computation) and values for the variables free in the term or 
rule. In most of our discussion, there will be a fixed structure under consider- 
ation but many choices of values for variables. It will therefore be convenient 
to push the structures into the background, often neglecting even to mention 
them, and to work with pairs whose first component is a term or rule and whose 
second component is an assignment of values to some variables (including all the 
variables free in the first component). We shall call such pairs “tasks” because 
we regard them as things to be evaluated in the course of a computation. 

The official definition of tasks will differ in two respects from this informal 
description. First, we shall always have a particular program II under consid- 
eration, and we deal only with terms and rules occurring in U . Recall in this 
connection our Convention 0 by which we are really dealing with occurrences 
of terms and rules. Second, it will be convenient to include in our tasks not 
only the obviously necessary values for free variables but also values for certain 
additional variables, defined as follows. 

Definition 14 A variable v is pseudo-free in a term t or rule R if t or R lies in 
the scope of v. 

Because 7T, being a program, has no free variables, all the free variables in a 
term or rule must also be pseudo- free in it. But there may be additional pseudo- 
free variables. From a syntactic point of view, v is pseudo-free in t or i? if one 
could introduce u as a free variable in f or i? without violating the requirement 
that n have no free variables. From a computational point of view, the pseudo- 
free variables of t or i? are those variables to which specific values have been 
assigned whenever one is about to evaluate t or i? in the natural algorithm for 
executing 77. 

Definition 15 A term-task (relative to a program 77 and a state 77) is a pair 
(t, a) where t is a term in 77 and a is an assignment of values in 77 to all the 
pseudo-free variables of t. Rule-tasks are defined similarly except that the first 
component is a rule in 77. Term-tasks and rule-tasks are collectively called tasks. 

Although the second component a of a task is officially a function assigning 
values to the pseudo-free variables of the first component, we sometimes view it 
as simply a tuple of values. This makes good sense provided we imagine a fixed 
order for the pseudo-free variables. We also sometimes write a ( for the restriction 
of the function a to an appropriate subset of its domain; it will always be clear 
from the context what the appropriate subset is. 

We write Val(t, a) for the value of the term t in a structure (assumed fixed 
throughout the discussion) when the free variables are assigned values according 
to a. 

Definition 16 The computational order -< is the smallest transitive relation on 
tasks satisfying the following conditions. 



Choiceless Polynomial Time Computation and the Zero-One Law 29 

— (ti,a) ^ for l<i<j. 

— (r,a) {{s : V £ r : (/?}, a) and, for each b G Val(r, a), all three of {v, a, b), 

(s, a, b) and {(p, a, b) are ^ ({s : v £ r : tp}, a). 

— {ti,a) -< {fih, . . .,tj) := to) for 0 < z < j. 

— All of {p,a), (Ro^a), and (Ri,a) are ^ (if p then Rq else i?i endif,a). 

— (r, a) ^ (do forall v £ r, R enddo,a) and, for each b £ Val(r, a), both 
(v,a,b) and {R,a,b) are ^ (do forall v £ r, R enddo,a). 

— If r is the range of a variable v pseudo-free in t or R, then (r, a t) ^ (t, a) or 
(r, af) ^ (-R, a), respectively. 

Except for the last clause, the definition assigns as the predecessors of a task 
simply the subterms or subrules of its first component, equipped with suitable 
values for the variables. The last clause, however, is quite different. Here the 
first component r of the lower clause may well be much larger than the first 
component f or i? of the upper clause. 

Intuitively, if one task precedes another in this computational ordering, then 
in the natural calculation involved in the execution of II the former task would 
be carried out before the latter. In the range clause, the idea is that, before 
attempting to evaluate t or R, we would have assigned a value to u, and before 
that we would have evaluated the range in order to know what the possible 
values for v are. 

This intuition strongly suggests that the computational order should be well- 
founded. In fact it is, but the proof is not trivial and will only be sketched here. 
To treat term-tasks and rule-tasks simultaneously, we use A, Y, . . . to stand for 
either terms t or rules R. 

Proposition 17 There is a rank function p, mapping terms and rules to natural 
numbers, such that if {X, a) -< (Y,b) then p{X) < p{Y). 

Proof. Let V be the number of variables occurring in 77, and let D be the 
maximum depth of nesting of terms and rules occurring in 77. 

For each variable v in 77, let r(w) be the number of symbols in the term or 
rule that binds v. Notice that, if x is bound in the range of y then r(x) < r(y). 

Call a variable relevant to a term or rule X if it is either pseudo-free in X 
or bound in A. In other words, the scope of v either includes or is included in 
A. Define cr(A) to be the sum of over all variables relevant to A. As one 
goes downward in the computational order, using any clause in its definition 
except the range clause, the set of relevant variables either remains the same or 
shrinks, so the value of a remains the same or decreases. Furthermore, when a 
stays the same, the depth of nesting inside the term or rule decreases. As one 
goes downward using the range clause, the variable v explicitly mentioned in the 
clause loses its relevance, but other variables, bound in r, may become relevant. 
All of the latter have r values strictly smaller than that of v, and there are fewer 
than V of them, so cr still decreases. 

Therefore, if we define 



p{X) = {D + 1)ct(A) -h depth(A) 
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where depth(X) means the depth of nesting of terms and rules in X, then p{X) 
decreases at every downward step in the computational ordering. □ 

This proposition immediately implies that the computational order is a strict 
partial order; it has no cycles. Since finite partial orders are well-founded, it is 
legitimate to do proofs by induction with respect to Such proofs can also 
be regarded as ordinary mathematical induction on the rank p. Furthermore, 
induction on p is somewhat more powerful than induction with respect to ^ 
because p-induction allows us, when proving a statement for some task, to assume 
the same statement not only for all computationally earlier tasks {X, a) but also 
for all tasks (AT, b) having the same first components as these. This is because p 
depends only on the first component. 

The following lemma is useful technically, and it also serves to clarify the 
role of the range clause in the definition of the computational ordering. The 
definition of this ordering ^ ensures that, if one task T precedes another T' then 
there is a chain 

T' = To ^ Ti > ^ T„ = T 

joining them, in which each two consecutive terms are related as in one of the 
clauses in Definition irni 

Lemma 18 If T' >- T then there is a chain as above, in which the range clause 
is used, if at all, only at the first step, from Tq to T\. 

We omit the proof, which is an induction on the length n of the chain. 

Corollary 19 If a task T precedes a task T' with no pseudo-free variables in 
its first component (and thus with empty second component), then this can be 
established without the range clause. 

Proof. The chain from T' down to T obtained in the lemma must not use the 
range clause at all, for the range clause is not applicable at the first step in the 
absence of pseudo-free variables in T'. □ 

The important case of the corollary is when (the first component of) T' is 
the whole program U . 



6 Involved and Active Elements 

Throughout this section, we assume that we are dealing with a fixed program 
n and a fixed state arising during its execution on some input ( J, A) . As before, 
we write H for the structure (HF{I),G,I,A). The state under consideration 
is an expansion of H, interpreting the dynamic function symbols as well as 
the other static function symbols. We write for this state. Notice that, by 
Proposition the interpretations of the additional function symbols of are 
all definable in H . The definitions of the dynamic function symbols depend on 
the stage of the computation; the others do not. 
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The following definition is intended to capture the intuitive notion of an el- 
ement of HF{I) being “looked at” during the execution of a task T. It doesn’t 
quite fulfill this intention, for it includes too many elements, pretending for ex- 
ample that execution of an if ... then ... else ... includes execution of both 
the consitituent rules regardless of the truth value of the guard. Nevertheless, 
it serves our purposes because (1) it includes all the elements that are really 
needed (see Lemma below) and (2) it doesn’t include too many additional 
elements (see Lemma EHl belowl . 

Definition 20 An element c G HF{I) is involved in a task (A, a) (with respect 
to a program U and a state H'^) if either it is active in {H'^, a) or it is the value 
in of some term-task ^ {X, a) . 

The next three lemmas give the key properties of this notion of “involved.” 

Lemma 21 Any object that is not active in a state H~^ but is active in its sequel 
with respect to II must be involved in the task U with respect to state . 

Lemma 22 The set-theoretic definitions at the end of Section 0 in particular 
Proposition m remain correct if the quantifiers are interpreted to range only 
over elements involved in II rather than over all of HF{I). 

This is proved by inspecting all those definitions, including the ones that 
we did not explicitly exhibit, seeing which values of the quantified variables are 
essential, and checking that these values are all involved in II. 

Lemma 23 For any state H'^ and any task (X,a), the number of elements 
involved in (X, a) is bounded by a polynomial function of the number of active 
elements in (H^,a). The polynomial depends only on the term or rule X. 

This is proved by induction on X . We are interested in the lemma primarily in 
the case that the task (A, a) is the entire program 77 (with the empty assignment, 
as 77 has no pseudo-free variables). A CPTime program comes with a polynomial 
bound on the number of active elements during its run; the lemma allows us to 
deduce a (possibly larger) polynomial bound on the number of involved elements. 
This will be crucial in showing that the computation takes place entirely in the 
world of symmetric sets. 

7 Strong Extension Axioms 

Let t{xq, xi, . . . , Xfc) be a quantifier-free formula of the form 

( /\ Xi^ Xj) ^ { f\ {xo yf Xi) A ±{xoAxi)), 

l<i<j<k l<i<k 

so that, for a given k, there are exactly 2^ different formulas of that form. The 
extension axiom EA(r) is the axiom Va:i . . . Xk^XoT^xo , . . . , Xk). A graph G sat- 
isfies the strong extension axiom SEA(t), if for all distinct vertices xi, . . . ,Xk, 
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there are at least \nj2^ vertices xq in G satisfying t{xo, xi,. . . , Xk)- The exten- 
sion axiom EA^ is the conjunction of all 2^ extension axioms EA(r) with fc -|- 1 
variables; the strong extension axiom SEA^ is the conjunction of all 2^ strong 
extension axioms SEA(r) for all r with fc -|- 1 variables. 

Thus, EAfc says that every possible configuration for a vertex xq, relative to 
k given vertices x\, . . . , Xk, actually occurs. SEA^ says that every such configu- 
ration occurs fairly often. 

Why ^nj2^7 In a random graph with n vertices, the probability that an 
arbitrary vertex oq, different from oi, . . . , Ofc, satisfies r(ao, oi, . . . , Ofc) is 1/2^, 
so the expected number of vertices oq satisfying r(oo, oi, . . . , Uk) is (n — k) 12^. 
So with high probability, there are at least \nj2^ vertices qq in G satisfying 
r(ao,oi,... ,Ofc). The factor | could be replaced with any positive constant 
c < 1; that gives a strong extension axiom SEA^. 

Lemma 24 For each k, the asymptotic probability of SEAk is 1. 

The proof uses Chernoff’s inequality from probability theory. 

8 Supports 

In this section, we describe the notion of symmetry with respect to partial au- 
tomorphisms that will, as explained in Section ^ apply to all objects involved 
in a computation and lead to winning strategies for the duplicator in certain 
Ehrenfeucht-Frai'sse games. Two numerical parameters will be involved in this 
notion of symmetry, namely the size of the partial automorphisms and the num- 
ber of atoms a symmetric object can depend on. The appropriate values for these 
parameters will depend on the BGS program and the polynomial bound on the 
number of active elements. 

For the purposes of this section, let g > 1 and fc > 4 be fixed integers. When 
this material is applied in the proof of Theorem 0 9 will be the degree of a 
polynomial bounding the number of involved elements (obtainable from 77 and 
the bound on active elements, via Lemma and k will be 2B + 4, where B is 
as in Proposition im 

We assume that the input graph (7, A) satisfies the extension axioms for up 
to 2>kq variables. (We don’t need the strong extension axioms yet.) 

For brevity we adopt the conventions that 

— w, X, y, z (possibly with subscripts, superscripts, or accents) stand for mem- 
bers of HF{I), 

— a,b,c (possibly with subscripts, superscripts, or accents) stand for sets of 
< q atoms, and we call such sets possible supports, and 

— a, (3, 7 , 5, ( (possibly with subscripts or superscripts) stand for partial auto- 
morphisms of the graph (7, A) whose domains have 

The inverse a~^ of a motion and the composite ao/3 of two motions are defined 
in the obvious way. In particular, the domain of a o /3 is /3“^(Dom(a)). 
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The extension axioms imply that, if a is a motion and s is a set of atoms 
with |Dom(of)| -|- |s| < kq, then a can be extended to a motion whose domain 
includes s. (In fact, the extension axioms imply considerably more, as they go 
up to 3kq variables, not just the kq needed for the preceding statement.) 

We next define, by simultaneous recursion on the rank of x, the three concepts 
“a supports x,” “x is supported,” and “d(a;),” where the last of these is defined 
if and only if Dom(o;) includes some a that supports x. 

Definition 25 If x is an atom, then 

— a supports x if and only if a: G a, 

— a; is supported (always), and 

— a{x) = a{x). 

If, on the other hand, a: is a set, then 

— a supports x if and only if every y G x is supported and, for every y of 
lower rank than x and every motion a, if a pointwise fixes a and if Dom(a) 
includes some set supporting y, then 

y G X a{y) G x, 

— a; is supported if and only if some a supports x, and 

— if a supports x and a C Dom(o;), then o;(a:) is the set of all /3(y) where y G x, 
(3 \ a = a \ a, and Dom(/3) includes some support of y. 

The definition of d(a;) when x is a set seems to depend on the choice of a 
particular support a of x. The first part of the following lemma gets rid of that 
apparent dependence; the rest of the lemma gives useful technical information 
about supports and about the application of motions to supported sets. 

Lemma 26 1. a is well-defined. Specifically, if a\ and 02 both support x and 

are both included in Dom{a), then dd-{x) and dP‘{x), defined as above using 
a\ and 02 respectively, are equal. 

2. If a supports x and a C Dom{a) IT Dom{P) and a \ a = P \ a, then 6i{x) = 
P{x). 

3. If a{x) is defined then it has the same rank as x. 

4 . If a is an identity map, then so is a, i.e., a{x) = x whenever a{x) is defined. 

5. a is a partial automorphism of the structure {HF{I), G, I, A). In other words, 
a{I) = I and, whenever x and x' have supports included in Dom{a), 

x' = X a{x') = a{x) 

x' G X a{x') G a{x) 

x' Ax a{x)Aa{x). 

6. If a supports x and a C Dom{a) then a[a] supports a{x). 

1. If a{x) is defined and a C Dom{a) and a[a] supports a{x), then a supports 



X. 
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8. j3oa = {3oain the following sense: If P o a{x) is defined then so is /3(d(x)) 
and they are equal. 

All eight parts of the lemma are proved together, by induction on the maxi- 
mum of the ranks of x and x' . We omit the tedious proof. 

Definition 27 S is the collection of supported objects in HF{I). We also write 
S for the structure (S', /, G, A). 

By the definition of supports, S is a transitive set containing all the atoms; by 
(5) of Lemma it also contains I. Furthermore, by (5) and (6) of that lemma, 
each d is a partial automorphism of S. In fact, as the following lemma shows, the 
d’s are much better than just partial automorphisms, because they fit together 
well. Recall that ^ is the part of the infinitary first-order language Aoo.u; 
(allowing infinite conjunctions and disjunctions) consisting of formulas with at 
most k variables (free or bound, but the same variable can be re-used). Recall 
also that fc > 4 is fixed throughout this section. 

Lemma 28 Let ip be a formula of ^ with j < k free variables. Let a be a 
motion, and let xi, . . . ,Xj be elements of S with supports included in Dom(a). 
Then 

S \= ip{xi,...,Xj) 4=^ S' h <^(a(a;i),...,d(a;j))- 

Proof. We give a strategy for the duplicator in the Ehrenfeucht-Fraisse game 
for At any stage of the game, let y and 2 : be the positions of the pebbles 

on the two boards; so initially, pi = Xi and Zi = a{xi). The duplicator’s strategy 
is to arrange that there is always a motion (3 whose /3 sends each to the cor- 
responding Zi. There is such a j3 initially, namely a, and as long as he maintains 
such a [3 the duplicator cannot lose, by (5) of Lemma So we need only check 
that, if such a (3 exists and then the spoiler moves, the duplicator can move so 
that again a (possibly new) f3 does the job. Without loss of generality, suppose 
the spoiler moves the first pebble on the left board from its position yi to a new 
y[ G S. Restrict the old (3 to the union of supports of the for z 1. There 
are strictly fewer than k of these supports, hence at most (fc — l)y points in the 
domain of the restricted (3. So we can extend this motion to a new (3 having in its 
domain some support of the new y(. The resulting /3(yj) is where the duplicator 
should move the pebble from z\. The resulting board position and the new (3 
satisfy the specification of the duplicator’s strategy (thanks to (2) of LemmaEnj- 
So we have shown that the duplicator can carry out the indicated strategy. □ 

We shall need variants of these results, dealing with two graphs and the 
universes of hereditarily finite sets built over them. Specifically, suppose {Ii,A) 
and (/ 2 ,A) are graphs satisfying the extension axioms for up to 3fcy variables. 
(We’ve simplified notation slightly by using the same name A for the adjacency 
relations in both graphs A.) For i,j G {1,2}, we define an i, j-motion to be 
a partial isomorphism of size at most kq from li to Ij. Thus 1,1-motions and 
2,2-motions are motions in the earlier sense for Ii and I 2 , respectively. 
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If a is a 1,2-motion, then we define a{x) for all x C HF(Ii) having supports 
included in Dom(a). We do this in exact analogy with the earlier definition: If 
X is an atom then a{x) = a{x). If x is a set with a support a C Dom(o;), then 
a{x) is the set of all (3{y) where y G x, /3 is a 1,2-motion extending a \ a, and 
Dom(/3) includes some support of y. 

Similarly, we define d(x) when a is a 2,1-motion and x G HF{l 2 ) has a sup- 
port C Dom(o!). These definitions together with the definitions already available 
from Section 0 for 1,1- and 2,2-motions allow us to refer to d(x) G FlF{Ij) 
whenever a is an i, j-motion and x G HF{Ii) has a support included in Dom(a). 

We can now repeat the earlier arguments in this slightly more general context. 
No conceptual changes or additions are needed, only a little bookkeeping to keep 
track of the four different sorts of motions. We exhibit for future reference the 
1,2-analog of LemmaESl Let Si be the collection of supported objects in HF{Ii); 
as before, we also write Si for the structure {Si,€, li, A). 

Lemma 29 Let (f be a formula of ^ with j < k free variables. Let a be a 1,2- 
motion, and let xi, .. . ,Xj be elements of S\ with supports included in Dom(a). 
Then 

Si\=ip{xi,...,Xj) S 2 \= ipia{xi),...,a{xj)). 

9 Combinatorics 

In this section, we describe (without proof) the main combinatorial lemma 
needed in the proof of the zero-one law. The parameters q and k are fixed as be- 
fore, and the graph (/, A) of atoms is now assumed to satisfy the strong extension 
axioms for up to Skq variables. 

By a polymer we mean a sequence of at most kq atoms. (The reason for 
the terminology is that, in |5|, we used “molecule” for a one-to-one listing of a 
support; here that would be a sequence of length q. A polymer is essentially the 
concatenation of up to k molecules. It gives the supports for up to k objects.) 
The configuration of a polymer consists of the following information: which com- 
ponents are equal and which are adjacent in the graph of atoms. If the polymer 
has length I, then its configuration could be viewed as the combination of an 
equivalence relation on {1, 2, . . . , ^} (telling which components are equal) and an 
irrefiexive symmetric relation on the quotient set (telling which components are 
adjacent). By the joint configuration of two (or more) polymers, we mean the 
equality and adjacency information about all components of both (or all) of the 
polymers. It could be viewed as the configuration of the concatenation of the 
polymers, except for the technicality that the concatenation may be too long to 
count as a polymer. 

We shall be concerned with equivalence relations of the following sort. 

Definition 30 A configuration- determined equivalence (cde for short) is an 
equivalence relation E with the following two properties. 

— Its domain consists of all polymers of one specified configuration. 
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— Whether two polymers ^ and rj of this configuration are related by E depends 
only on their joint configuration. 

When dealing with polymers ^ of a specified configuration (e.g., those in the 
domain of a cde), we can simplify their presentation by omitting any repetitions 
of components in Because of the tight correspondence between the polymers 
^ of a known configuration and these compressed versions, we can confine our 
attention to the compressed versions; that is, we can assume that we deal only 
with polymers that are one-to-one sequences. 

Theorem 31 Assume that \Atoms\ > . Let E be a configuration-de- 

termined equivalence with fewer than 

1 f \Atoms\\'^^^ 

(9-h 1)! V J 

equivalence classes. Let I be the common length of the polymers in the domain of 
E. There exists a set m C {1, 2, . . . , /} of size at most q, and there exists a group 
G of permutations of u such that, for any ^ and rj in the domain of E, 

^Er] <1=^ (3cr e G) (Vi € u) 

Notice that, although I can be as large as kq, the theorem requires u to be 
relatively small, of size at most q. 

The conclusion of the theorem completely describes E in terms of u and G. 
It says that the if-equivalence class of ^ consists of those polymers (of the right 
configuration) obtainable from ^ by 

— permuting the components indexed by u, using a permutation from G, and 

— changing the other components completely arbitrarily. 

In particular, the equivalence class of ^ depends only on the for i G u. 

The hypothesis of the theorem involves a complicated bound on the number of 
equivalence classes. Most of the complication disappears if one remembers that q 
and k are fixed, so the bound is, up to a constant factor, just |Atoms|‘^+^. When 
we apply the theorem, the cde’s of interest will be such that the equivalence 
classes correspond to elements involved in the computation, so their number is 
bounded by a polynomial in |Atoms| of degree at most q. So the bound will 
automatically be satisfied once the number of atoms is large enough. 

Because of space and time limitations, we omit Shelah’s proof of this combi- 
natorial theorem. 



10 Putting the Proof Together 

Consider a BGS program LI and a polynomial bound on the number of active 
elements. According to Lemma|231 we obtain a polynomial bound on the number 
of elements involved in LI at any stage of the computation. Let q be the degree 
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of this polynomial. Also, let k = 2B + 4 where B is the bound from Proposi- 
tion HD on the number of variables in the set-theoretic formulas describing the 
computation of U. Whenever we refer to supports, motions, etc., we take these 
concepts to refer to the particular q and k just introduced. 

In the following theorem, to say that a formula is absolute for S means 
that the formula’s meaning does not change if the quantifiers are interpreted as 
ranging over the class S of supported objects rather than over all of HF{I). 

Theorem 32 Assume that all active elements in state are supported. Then 
the following are true for every term-task (t, a) -< 77, provided the input graph 
(7, A) satisfies the strong extension axioms up to Skq variables and is large 
enough. 

1. If ft, a) -< (X,a') and if a is a motion whose domain includes supports of 
all the elements of a, then (t,a{a)) -< (X,a{a')). 

2. All elements of a and of Valft, a) are supported. 

3. The formula defining x S Val(t, y) is absolute for S when y is instantiated 
to a. 

4 . Valft, a) is supported. Furthermore, given supports for all components of a, 
their union includes a support for Valft, a). 

5. The formula defining x = Valft, y) is absolute for S when y is instantiated 
to a. 

All five parts of the theorem are proved in a simultaneous induction on ft, a) 
with respect to the rank function p from Proposition^^the computational order. 
The proof is too long to give here, but we describe a few points in it that explain 
why much of the work in previous sections is needed. 

The computational order, and specifically the range clause in its definition, 
are crucial in the proof of (1). Consider, for example, a situation where a = (c, b) 
and ft, c, b) -< fV, c) where b is the value assigned to a variable v bound by Y and 
thus pseudo- free in the subterm t. So b G Val(r, c), where r is the range of v. To 
show that {t,a{c),a{b)) -< {Y,a{c)), we want to know that a{b) G Val(r, d(c)). 
Fortunately, the range clause makes {r, c) a computational predecessor of {t, c, b), 
so we can apply induction hypotheses (2) and (3) to it. Thus, the fact that 
b G Val(r, c) can be expressed as a set-theoretic statement true in S. And this 
statement will retain its truth value when we apply a, by Lemma EEl 

The combinatorial Theorem is used in the hardest case in the proof of 
(4), namely where t is {s : ic G r : (^}. Choose supports for all the Oi and let ^0 
be a polymer in which all those supports are listed. For any other polymer f of 
the same configuration as ^ 0 , let a be the motion sending ^0 to f. Write t(^) for 
Val(t, d(a)). In particular, t(^o) is the object Val(t, a) that we hope to prove to 
be supported. 

Define an equivalence relation E on the set of polymers of the same config- 
uration as ^0 by 

fEf ^ m = t{o- 

One can verify, using the induction hypotheses and Lemma EHl that this E is 
configuration-determined. The number of equivalence classes of E is the number 
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of different elements of the form t{^) = Val(t, a{a). It follows from part (1) that 
the number of such elements is bounded by a constant times That’s smaller 
than the bound required in the Dichotomy Theorem, a polynomial of degree 
< 7 + 1, provided |/| is large enough. So applying the combinatorial Theorem 
we find that t{^) depends only on the restriction of ^ to a certain set u of size 
at most q. Then one can show that the range of \ u supports Val(t, a). 

Corollary 33 Assume that all active elements in state are supported. Then 
so are all objects involved in II with respect to . 

This is immediate from part (4) of the theorem and the definition of “in- 
volved.” By Lemma it implies that every active element of the sequel is 
supported, and so the theorem and its corollary are applicable to the sequel. Pro- 
ceeding inductively and then invoking Lemma E2I we find that the set-theoretic 
formulas describing the computation are all absolute for S as long as the poly- 
nomial bound on the number of active elements is obeyed. But then, thanks to 
Lemma I2HI the truth values of these formulas and therefore the behavior of the 
computation are the same for all input graphs that satisfy the necessary strong 
extension axioms and are sufficiently large. By virtue of Lemma the class of 
such graphs has asymptotic probability 1, so Theorem Elis proved. 

11 Extension and Strong Extension 

The zero-one law for first-order logic is based on the extension axioms: for every 
first-order sentence (p (of relational vocabulary), there exists k such that EA^ 
implies p or EA^ implies ->p. The same holds for fixed-point logic FO-fLFP 
and for the infinitary logic ^ . However, extension axioms are too weak 

to support the zero-one law for CPTime. We give an example of a single poly- 
nomial time BGS program that separates structures satisfying arbitrarily many 
extension axioms. So strong extension axioms are really needed for the CPTime 
zero-one law. 

Example 34 For simplicity, we consider graphs equipped with a unary relation, 
(/, A,i?). We informally describe a BGS program computing the maximal size 
of a clique included in R. 

— In mode Initial, initialize to 0, initialize C to {0}, and go to mode Com- 
pute. Intuitively, z is a counter, p is the parity of i and C is the collection of 
all subsets of R of size i. 

— In mode Compute, increase i by one, flip p, update C as follows 

C := {xU {y} : X G C Ay G R} 

and go to mode Decide. 

— In mode Decide, check if C contains a clique. If yes then go to mode Compute; 
otherwise output 1—p and halt. 
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Consider running this program on the input having vertex set {1, 2, . . . , n}, a 
random adjacency relation A, and i? interpreted as {1, 2, . . . , r} for some r < n. 
It follows from results in ^ Section XI.l] that there are values of r of magnitude 
roughly log n- log log n for which the clique number of (i?, A f i?) is very probably 
even and there are other nearby values of r for which this clique number is very 
probably odd. Also, because r is so much smaller than n (and the cliques smaller 
yet) the computation of U will very probably activate fewer than n sets. So 
we can impose a polynomial bound slightly larger than 2n and be reasonably 
certain that the computation will halt. Finally, by choosing r and therefore n 
large enough, one can ensure (again with very high probability) that the graphs 
under consideration satisfy any specified extension axiom EA^. 

Since the strong extension axioms go beyond the ordinary extension axioms, 
one might hope that they imply some of the classical properties of almost all 
graphs, like rigidity and hamiltonicity, that are known |3| not to follow from 
extension axioms. 

This is not the case for rigidity. The non-rigid graphs constructed in |3| — 
random modulo an imposed symmetry — can be shown to also satisfy strong 
extension axioms. 

For Hamiltonicity, the situation is less clear. We can show, again using the 
construction from P|, that the axioms SEA^ for c < ^ do not imply Hamiltonic- 
ity. For c > ^, these examples no longer work, but we do not know whether 
others are available. 

12 The Almost Sure Theory Is Undecidable 

In the case of first-order logic, the almost sure theory (that is the set of almost 
surely true sentences) is decidable. The same holds if we add the least fixed point 
operator to first-order logic [Q. But it fails for CPTime. 

Proposition 35 The class of almost surely accepting polynomially bounded pro- 
grams and the class of almost surely rejecting polynomially bounded programs are 
recursively inseparable. 

Proof. Consider Turing machines with two halting states hi and /i 2 - For i = 
1,2, let Hi be the collection of Turing machines that halt in state hi on the 
empty input tape. It is well-known that H\ and H 2 are recursively inseparable. 
Associate to each Turing machine T a polynomial time BGS program as follows. 
The program H ignores its input graph and simulates T on empty input tape 
(working exclusively with pure sets). H outputs true (resp. false) if T halts in 
state hi (resp. / 12 ). The polynomial bounds on steps and activated elements are 
both the identity function, i.e., the number of atoms. Then if T S Hi (resp. T G 
H 2 ) our polynomial time BGS program will accept (resp. reject) all sufficiently 
large inputs. □ 
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Abstract. We define three composition and structuring concepts which 
reflect frequently used refinements of ASMs and integrate standard struc- 
turing constructs into the global state based parallel ASM view of compu- 
tations. First we provide an operator which combines the atomic update 
view of ASMs with sequential machine execution and naturally incor- 
porates classical iteration constructs into ASMs. For structuring large 
machines we define their parameterization, leading to a notion of possi- 
bly recursive submachine calls which sticks to the bare logical minimum 
needed for sequential ASMs, namely consistency of simultaneous ma- 
chine operations. For encapsulation and state hiding we provide ASMs 
with local state, return values and error handling. 

Some of these structuring constructs have been implemented in ASM- 
Gofer. We provide also a proof-theoretic definition which supports the 
use of common structured proof principles for proving properties for 
complex machines in terms of properties of their components. 



1 Introduction 

It has often been observed that Gurevich’s definition of Abstract State Machines 
(ASMs) uni uses only conditional assignments and supports none of the classical 
control or data structures. On the one side this leaves the freedom - necessary 
for high-level system design and analysis - to introduce during the modeling 
process any control or data structure whatsoever which may turn out to be 
suitable for the application under study. On the other hand it forces the designer 
to specify standard structures over and over again when they are needed, at the 
latest when it comes to implement the specification. In this respect ASMs are 
similar to Abrial’s Abstract Machines P which are expressed by non-executable 
pseudo-code without sequencing or loop (Abstract Machine Notation, AMN). In 
particular there is no notion of submachine and no calling mechanism. For both 
Gurevich’s ASMs and Abrial’s Abstract Machines, various notions of refinement 
have been used to introduce the classical control and data structures. See for 
example the definition in HSl of recursion as a distributed ASM computation 
(where calling a recursive procedure is modeled by creating a new instance of 
multiple agents executing the program for the procedure body) and the definition 
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in 0 12.5] of recursive AMN calls of an operation as calls to the operation of 
importing the implementing machine. 

Operations of B-Machines Q and of ASMs come in the form of atomic ac- 
tions. The semantics of ASMs provided in m is defined in terms of a function 
next from states (structures) to states which reflects one step of machine execu- 
tion. We extend this definition to a function describing, as one step, the result 
of executing an a priori unlimited number n of basic machine steps. Since n 
could go to 00 , this naturally leads to consider also non halting computations. 
We adapt this definition to the view of simultaneous atomic updates in a global 
state, which is characteristic for the semantics of ASMs, and avoid prescribing 
any specific syntactic form of encapsulation or state hiding. This allows us to 
integrate the classical control constructs for sequentialization and iteration into 
the global state based ASM view of computations. Moreover this can be done in 
a compositional way, supporting the corresponding well known structured proof 
principles for proving properties for complex machines in terms of properties of 
their components. We illustrate this by providing structured ASMs for comput- 
ing arbitrary computable functions, in a way which combines the advantages of 
functional and of imperative programming. The atomicity of the ASM iteration 
constructor we define below turned out to be the key for a rigorous definition 
of the semantics of event triggered exiting from compound actions of UML ac- 
tivity and state machine diagrams, where the intended instantaneous effect of 
exiting has to be combined with the request to exit nested diagrams sequentially 
following the subdiagram order, see pg. 

For structuring large ASMs extensive use has been made of macros as nota- 
tional shorthands. We enhance this use here by defining the semantics of named 
parameterized ASM rules which include also recursive ASMs. Aiming at a foun- 
dation which supports the practitioners’ procedural understanding and use of 
submachine calls, we follow the spirit of the basic ASM concept m where do- 
main theoretic complications - arising when explaining what it means to iterate 
the execution of a machine “until ...” - have been avoided, namely by defining 
only the one-step computation relation and by relegating fixpoint (“termina- 
tion” ) concerns to the metatheory. Therefore we define the semantics of subma- 
chine calls only for the case that the possible chain of nested calls of that machine 
is finite. We are thus led to a notion of calling submachines which mimics the 
standard imperative calling mechanism and can be used for a definition of re- 
cursion in terms of sequential (not distributed) ASMs. This definition suffices to 
justify the submachines used in |H| for a hierarchical decomposition of the Java 
Virtual Machine into loading, verifying and executing machines for the five prin- 
cipal language layers (imperative core, static classes, object oriented features, 
exception handling and concurrency). 

The third kind of structuring mechanism for ASMs we consider in this paper 
is of syntactical nature, dealing essentially with name spaces. Parnas ’ PH infor- 
mation hiding principle is strongly supported by the ASM concept of external 
functions which provides also a powerful interface mechanism (see 0). A more 
syntax oriented form of information hiding can be naturally incorporated into 
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ASMs through the notion of local machine state, of machines with return values 
and of error handling machines which we introduce in Section 0 

Some of these concepts have been implemented in ASMGofer allowing 
us to define executable versions of the machines for Java and the JVM in 

2 Standard ASMs 

We start from the definition of basic sequential (i.e. non distributed) ASMs in 
m and survey in this section our notation. 

Basic ASMs are built up from funetion updates and skip by parallel eom- 
position and constructs for if then else, let and forall. We consider the choose- 
construct as a special notation for using choice functions, a special class of ex- 
ternal functions. Therefore we do not list it as an independent construct in the 
syntactical definition of ASMs. It appears however in the appendix because the 
non-deterministic selection of the c/ioose-value is directly related to the non- 
deterministic application of the corresponding deduction rule. 

The interpretation of an ASM in a given state 2t depends on the given en- 
vironment Env, i.e. the interpretation f S Env of its free variables. We use the 
standard interpretation of terms t in state 2t under variable interpretation 
but we often suppress mentioning the underlying interpretation of variables. 
The semantics of standard ASMs is defined in m by assigning to each rule R, 
given a state 21 and a variable interpretation an update set |i?]® which - if 
consistent - is fired in state 21 and produces the next state nextn{^, C)- 

An update set is a set of updates, i.e. a set of pairs {loc,val) where loe is 
a location and val is an element in the domain of 21 to which the location is 
intended to be updated. A location is n-ary function name / with a sequence 
of length n of elements in the domain of 21, denoted by /(oi, . . . , a„). If u is an 
update set then Locs{u) denotes the set of locations occurring in elements of u 
{Locs{u) = {loc I 3val : (loc,val) € n}). An update set u is called inconsistent 
if u contains at least two pairs (loc,vi) and (Zoc, ^ 2 ) with vi V 2 (i.e. |n| > 
\Loes{u)\), otherwise it is called consistent. 

For a consistent update set u and a state 21, the state fire%{u), resulting from 
firing u in 21, is defined as state 21' which coincides with 21 except (a) = val 
for each (f{a),val) G u. Firing an inconsistent update set is not allowed, i.e. 
/irea(w) is not defined for inconsistent u. This definition yields the following 
(partial) next state function nextn which describes one application of i? in a 
state with a given environment function f G Env. We often write also next{R) 
instead of nextn. 

nextn ■ State(E) x Env — >■ State(E) 
nextii{%C) = fireinilRlf) 

The following definitions describe the meaning of standard ASMs. We use R and 
S for rules, x for variables, s and t for expressions, p for predicates (boolean 
expressions), and u,v for semantical values and update sets. We write for 
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the interpretation of the function / in state 21 and C' = Cf is the variable 
environment which coincides with C except for x where 





= C(a:) 


lf{ti,...,tn)lf 


II 


|skipl® 


= 0 


II 








|if t then R else 5]^ 


ifwa = true^ 


([S']®, otherwise 


|let X = tin i?]® 


= where v = |f]® 


|forall X with p do i?]® 


= U where V = {v \ 

vev 



true^} 



Remark: Usually the parallel composition {i?i, . . . , of rules Ri is denoted 
by displaying the Ri vertically one above the other. 

For a standard ASM R, the update set |i?]^ is defined for any state 21 and for 
any variable environment (^, but nea:tij(2l, <^) is undefined if is inconsistent. 



3 Sequential Composition and Iteration 

The basic composition of ASMs is parallel composition, and this is so for a fun- 
damental reason explained in m- It is for practical purposes that in this section 
we incorporate into ASMs their sequential composition and their iteration, but 
in a way which fits the basic paradigm of parallel execution of all the rules of a 
given ASM. The idea is to treat the sequential execution P seq Q of two rules 
P and Q as an “atomic” action, in the same way as executing a function update 
f{ti, . . . ,tn) '■= s, and similarly for the iteration iterate(i?) of rule R, i.e. the re- 
peated application of sequential composition of R with itself, as long as possible. 
The notion of repetition yields a definition of the traditional while (cond) R 
construct which is similar to its proof theoretic counterpart in m 9.2.1]. Whereas 
Abrial explicitly excludes sequencing and loop from the specification of abstract 
machines ^ pg. 373], we take a more pragmatic approach and define them in 
such a way that they can be used coherently in two ways, depending on what 
is needed, namely to provide black-box descriptions of abstract submachines or 
glass-box views of their implementation (refinement). 



3.1 Sequence Constructor 

If one wants to specify executing one standard ASM after another, this has to be 
explicitly programmed. Consider for example the function pop-back in the Stan- 
dard Template Library for C-| — I- (abstracting from concrete data structures). 
The function deletes the last element in a list. Assume further that we have 
already defined rules move-last and delete where move-last sets the list pointer 
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to the last element and delete removes the current element. One may be tempted 
to program pop-back as follows to first execute move-last and then delete: 

pop-back = 

if mode = Move then 
move-last 
mode := Delete 
if mode = Delete 
delete 

mode := Move 

This definition has the drawback that the user of pop-back must know that 
the action to be completed needs two steps, which really is an implementa- 
tion feature. Moreover the dynamic function mode, which is used to program 
the sequential ordering, is supposed to be initialized by Move. Such an explicit 
programming of execution order quickly becomes a stumbling block for large 
specifications, in particular the initialization is not easily guaranteed without 
introducing an explicit initialization mechanism. 

Another complication arises when sequentialized rules are used to refine ab- 
stract machines. In the machine on the left side of the picture below, assume 
that the simultaneous execution of the two rules R and S in state 1 leads to 
state 2. The machine on the right side is supposed to refine the machine on the 
left side with rules R and S refined into the sequence of rules R1R2R3 and 5'i5'2 
respectively. There is no obvious general scheme to interleave the i?i-rules and 
the bj-rules, using a mode function as above. What should happen if rule R2 
modifies some locations which are read by S2I In such cases R and S could not 
be refined independently of each other. 




Therefore we introduce a sequence constructor yielding a rule P seq Q which 
can be inserted into another ASM but whose semantical effect is nevertheless 
the sequential execution of the two rules P and Q. If the new rule P seq Q has 
to share the same status as any other ASM rule together with which it may be 
executed in parallel, one can define the execution of P seq Q only as an atomic 
action. Obviously this is only a way to “view” the sequential machine from 
outside; its refined view reveals its internal structure and behavior, constituted 
by the non atomic execution, namely in two steps, of first P and then Q. 
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Syntactically the sequential composition P seq Q of two rules P and Q is 
defined to be a rule. The semantics is defined as first executing P , obtaining an 
intermediate state, followed by executing Q in the intermediate state. This is 
formalized by the following definition of the update set of P seq Q in state 21. 

Semantics: Let P and Q be rules. We define 

IP seq Qf = iPf © IQf ' 

where 21' = nextp{%) is the state obtained by firing the update set of P in 
state 21, if this is defined; otherwise 21' can be chosen arbitrarily. The operator 
© denotes the merging for update sets. 

The merging of two update sets u and v by the operator © reflects that 
an update in v overwrites an update in u if it is for the same location, since 
through a destructive assignment s := t the previous value of s is lost. We 
merge an update set v with u (i.e. it © w) only if u is consistent, otherwise we 
stick to u because then we want both fire^{u) and fire%{u © v) to be undefined. 

^ I {(loc, val) I (Zoc, val) G u A loc ^ Locs{v)} U v, consistent{u) 

I M, otherwise 



Proposition 1. (Persistence of inconsistency) 

If |P]® is not consistent, then |P seq Q]® = |P]^ 

The next proposition shows that the above definition of the seq constructor cap- 
tures the intended classical meaning of sequential composition of machines, if we 
look at them as state transforming function^ Indeed we could have defined seq 
via the composition of algebra transforming functions, similarly to its axiomati- 
cally defined counterpart in Abrial’s AMN P| where seq comes as concatenation 
of generalized substitutions. 

Proposition 2. (Compositionality of seq) 

next{P seq Q) = next{Q) o next{P) 

This characterization illustrates that seq has the expected semiring properties 
on update sets. 

Proposition 3. The ASM constructor seq has a left and a right neutral element 
and is associative, i.e. for rules P, Q, and R the following holds: 

[skip seq Rf^ = {R seq skip]® = |i?|® 

IP seq {Q seq i?)|® = |(P seq Q) seq i?|® 

We assume that f(x) is undefined if x is undefined, for every function / (/ is strict). 
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3.2 Iteration Constructor 



Once a sequence operator is defined, one can apply it repeatedly to define the 
iteration of a rule. This provides a natural way to define for ASMs an itera- 
tion construct which encapsulates a computation with a finite but a priori not 
explicitly known number of iterated steps into an atomic action (one-step com- 
putation) . As a by-product we obtain the classical loop and while constructs, cf. 
P 9.2], 

The intention of rule iteration is to execute the given rule again and again - 
as long as needed and as long as possible. We define 



i?” = 



f skip, 

seq R, 



n = 0 
n > 



Denote by the state obtained by firing the update set of the rule i?" in state 
21, if defined (i.e. 2t„ = nexf_R»(2l)). 

There are two natural stop situations for iterated ASM rule application, 
namely when the update set becomes empty (the case of successful termination) 
and when it becomes inconsistent (the case of failure, given the persistence of 
inconsistency as formulated in Proposition mu Both cases provide a fixpoint 
lim for the sequence (|.R"]^)n>o which becomes constant if a number 

n—^oo 

n is found where the update set of R, in the state obtained by firing 
empty or inconsistent. 



IS 



Proposition 4. (Fixpoint Condition) 



\/m > n > 0 the following holds: 

if is not consistent or if it is empty, then 

Therefore we extend the syntax of ASM rules by iterate(i?) to denote the iter- 
ation of rule R and define its semantics as follows. 



Semantics: Let i? be a rule. We define 

|iterate(i?)]® = lim if 3 n > 0 : = 0 V -iconsisfenf(|i?]®") 



The sequence (|^"]®)n>o eventually becomes constant only upon termination or 
failure. Otherwise the computation diverges and the update set for the iteration 
is undefined. An example for a machine R which naturally produces a diverging 
(though in other contexts useful) computation is iterate(a := a + 1), see m 
Exl. 2, pg. 350]. 

^ We do not include here the case of an update set whose firing does not change the 
given state, although including this case would provide an alternative stop criterion 
which is also viable for implementations of ASMs. 
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Example 1. (Usage of iterate for starting the Java class initialization process) 

The ASM model for Java in ^ includes the initialization of classes which in Java 
is done implicitly at the first use of a class. Since the Java specification requires 
that the superclass of a class c is initialized before c, the starting of the class 
initialization is iterated until an initialized class d is encountered (i.e. satisfying 
initialized{c'), as eventually will happen towards the top of the class hierarchy). 
We define the initialization of class class as follows: 

initialize = 

c := class seq iterate(if ^initialized{c) then 

createlnitFrame ( c) 
if ->initialized(superClass{c)) then 
c := superclass (c)) 

The finiteness of the acyclic class hierarchy in Java guarantees that this rule 
yields a well defined update set. The rule abstracts from the standard sequential 
implementation (where obviously the class initialization is started in a number 
of steps depending on how many super classes the given class has which are not 
yet initialized) and offers an atomic operation to push all initialization methods 
in the right order onto the frame stack. 

The macro to create new initialization frames can be defined as follows. The 
current computation state, consisting of method, program, program position pos 
and localVars, is pushed onto the frames stack and is updated for starting the 
initialization method of the given class at position 0 with empty local variables 
set. 



createlnitFrame (c) = 



classState(c) 

frames 

method 

program 

pos 

localVars 



= InProgress 

= frames ■ {method, program, pos, localVars) 
= c/<clinit> 

= body{c/<cl±iL±t>) 

= 0 



While and Until. The iteration yields a natural definition of classical loop and 
while constructs. A while loop repeats the execution of the while body as long as 
a certain condition holds. 

while {cond) R = iterate(if cond then R) 

This while loop, if started in state 21, terminates if eventually becomes 

empty or the condition cond becomes false in 2l„ (with consistent and non 
empty previous update sets and previous states 21^ satisfying cond). If the 

iteration of R reaches an inconsistent update set (failure) or yields an infinite 
sequence of consistent non empty update sets, then the state resulting from 
executing the while loop starting in 21 is not defined (divergence of the while 
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loop). Note that the function nea:t(while (cond) R) is undefined in these two 
cases on 21. 

A while loop may satisfy more than one of the above conditions, like while 
(false) skip. The following examples illustrate the typical four cases: 

• (success) while (cond) skip 

• (success) while (false) R 

• (failure) while (true) a := 1 

a := 2 

• (divergence) while (true) a := a 



Example 2. (Usage of while) 

The following iterative ASM defines a while loop to compute the factorial func- 
tion for given argument x and stores the result in a location fac. It uses multi- 
plication as given (static) function. We will generalize this example in the next 
section to an ASM analogue to the Bohm-Jacopini theorem on structured pro- 
gramming 0. 

compute^fac = (fac := 1) seq (while (x > 0) fac := x * fac 

X := a; — 1) 

Remark: As usual one can define the until loop in terms of while and seq as 
first executing the body once and then behaving like a while loop: 

do R until (cond) = R seq (while (-^cond) R). 

The sequencing and iteration concepts above apply in particular to the Mealy- 
ASMs defined in ^ for which they provide the sequencing and the feedback 
operators. The fundamental parallel composition of ASMs provides the concept 
of parallel composition of Mealy automata for free. These three constructs allow 
one to apply to Mealy- ASMs the decomposition theory which has been developed 
for finite state machines in m- 

3.3 Bdhm-Jacopini ASMs 

The sequential and iterative composition of ASMs yields a class of machines 
which are known from P] to be appropriate for the computation of partial re- 
cursive functions. We illustrate in this section how these Bohm-Jacopini- AS Ms 
naturally combine the advantages of the Godel-Herbrand style functional defi- 
nition of computable functions and of the Turing style imperative description of 
their computation. 

Let us call Bohm-Jacopini- ASM any ASM which can be defined, using the 
sequencing and the iterator constructs, from basic ASMs whose functions are 
restricted as defined below to input, output, controlled functions and some simple 
static functions. For each Bohm-Jacopini- ASM M we allow only one external 
function, a 0-ary function for which we write inM- Tbe purpose of this function 
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is to contain the number sequence which is given as input for the computation of 
the machine. Similarly we write ouIm for the unique (0-ary) function which will 
be used to receive the output of M. Adhering to the usual practice one may also 
require that the M-output function appears only on the left hand side of M- 
updates, so that it does not influence the M-computation and is not influenced by 
the environment of M. As static functions we admit only the initial functions of 
recursion theory, i.e. the following functions from Cartesian products of natural 
numbers into the set N of natural numbers: +1, all the projection functions 
all the constant functions C" and the characteristic function of the predicate 
yf 0. 

Following the standard definition we call a number theoretic function / : 
N” — >■ N computable by an ASM M if for every n-tuple x G N" of arguments 
on which / is defined, the machine started with input x terminates with output 
f{x). By “M started with input x” we mean that M is started in the state where 
all the dynamic functions different from iuM are completely undefined and where 
iuM = X. Assuming the external function otm not to change its value during an 
M-computation, it is natural to say that M terminates in a state with output 
y, if in this state ouIm gets updated for the first time, namely to y. 

Proposition 5. (Structured Programming Theorem) 

Every partial recursive function can be computed by a Bohm-Jacopini- 

ASM. 

Proof. We define by induction for each partial recursive function / a machine 
F computing it. Each initial function / of recursion theory is computed by the 
following machine F consisting of only one function update which reflects the 
defining equation of / . 

F = outp '■= fiinp) 

For the inductive step it suffices to construct, for any partial recursive definition 
of a function / from its constituent functions fi, a machine F which mimics the 
standard evaluation procedure underlying that definition. We define the following 
macros for using a machine F for given arguments in, possibly including to assign 
its output to a location out: 

F{in) = inp := in seq F 

out := F{in) = F{in) seq out := outp 

We start with the case of function composition. If functions g,h\, . . . , are 
computed by Bohm-Jacopini-ASMs G, Hi, . . . , H^, then their composition / de- 
fined by f{x) = g{hi{x ), . . . , hm{x)) is computed by the following machine^ F: 



F = {Hi{inp ), . . . , Hm{inp)} seq outp := G{outHi , ■ ■ ■ , outH^) 

® For reasons of simplicity but without loss of generality we assume that the subma- 
chines have pairwise disjoint signatures. 
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Unfolding this structured program reflects the order one has to follow for eval- 
uating the subterms in the defining equation for /, an order which is implicitly 
assumed in the equational (functional) definition. First the input is passed to 
the constituent functions hi to compute their values, whereby the input func- 
tions of Hi become controlled functions of F . The parallel composition of the 
submachines Hi{inp) reflects that any order is allowed here. Then the sequence 
of outHi is passed as input to the constituent function g. Finally g’s value on 
this input is computed and assigned as output to outp. 

Similarly let a function / be defined from g, h by primitive recursion: 

/(x,0) = g{x), f{x,y + l) = h{x,y,f{x,y)) 

and let Bohm-Jacopini-ASMs G, H be given which compute g, h. Then the fol- 
lowing machine F computes /, composed as sequence of three submachines. The 
start submachine of F evaluates the first defining equation for / by initializ- 
ing the recursor rec to 0 and the intermediate value ival to g{x). The while 
submachine evaluates the second defining equation for / for increased values 
of the recursor as long as the input value y has not been reached. The output 
submachine provides the final value of ival as output. 

F = let {x, y) = inp in 

{ival := G{x), rec := 0} seq 

(while (rec < y) {ival := H{x, rec, ival), rec := rec + 1}) seq 
outp := ival 

If / is defined from g by the /x-operator, i.e. f{x) = fjLy{g{x, y) = 0), and if 
a Bohm-Jacopini-ASM G computing g is given, then the following machine F 
computes /. The start submachine computes g{x,rec) for the initial recursor 
value 0, the iterating machine computes g{x,rec) for increased values of the 
recursor until 0 shows up as computed value of g, in which case the reached 
recursor value is set as output. 

F = {G(mir,0), rec := 0} seq 

(while {outc yf 0) {G{inp, rec + 1), rec := rec + 1}) seq 
outp := rec 

Remark. The construction of Bohm-Jacopini-ASMs illustrates, through the ide- 
alized example of computing recursive functions, how ASMs allow to pragmat- 
ically reconcile the often discussed conceptual dichotomy between functional 
and imperative programming. In the context of discussing the “functional pro- 
gramming language” Godel used to exhibit undecidable propositions in Principia 
Mathematica, as opposed to the “imperative programming language” developed 
by Turing and used in his proof of the unsolvability of the Entscheidungsprohlem 
(see jTj), Martin Davis m states: 

“The programming languages that are mainly in use in the software 

industry (like C and FORTRAN) are usually described as being imper- 
ative. This is because the successive lines of programs written in these 
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languages can be thought of as commands to be executed by the com- 
puter ... In the so-called functional programming languages (like LISP) 
the lines of a program are definitions of operations. Rather than telling 
the computer what to do, they define what it is that the computer is to 
provide.” 

The equations which appear in the Godel-Herbrand type equational definition of 
partial recursive functions “define what it is that the computer is to provide” only 
within the environment for evaluation of subterms. The corresponding Bohm- 
Jacopini-ASMs constructed above make this context explicit, exhibiting how to 
evaluate the subterms when using the equations (updates), as much as needed 
to make the functional shorthand work correctly. We show in the next section 
how this use of shorthands for calling submachines, which appear here only in 
the limited context of structured WHILE programs, can be generalized as to 
make it practical without loss of rigor. 

4 Parameterized Machines 

For structuring large ASMs extensive use has been made of macros which, se- 
mantically speaking, are mere notational shorthands, to be substituted by the 
body of their definition. We enhance this use here by introducing named param- 
eterized ASM rules which in contrast to macros also support recursive ASMs. 

We provide a foundation which justifies the application of named parameter- 
ized ASMs in a way which supports the practitioners’ procedural understanding. 
Instead of guaranteeing within the theory, typically through a fixpoint operator, 
that under certain conditions iterated calls of recursive rules yield as “result” a 
first-class mathematical “object” (namely the fixpoint), we take inspiration from 
the way Kleene proved his recursion theorem m Section 66] and leave it to the 
programmer to guarantee that a possibly infinite chain of recursive procedure 
calls is indeed well founded with respect to some partial order. 

We want to allow a named parameterized rule to be used in the same way 
as all other rules. For example, if / is a function with arity 1 and i? is a named 
rule expecting two parameters, then R{f{l),2) should be a legitimate rule, too. 
In particular we want to allow rules as parameters, like in the following example 
where the given dynamic function stdout is updated to ’’hello world”: 

rule R{output) = 

output ("hello world") 

rule output-to-stdout(msg) 
stdout := msg 

R(output_to_stdout) 

Therefore we extend the inductive syntactic definition for rules by the following 
new clause, called a rule application with actual parameters ai, . . . , a„: 

R(ai, . . . , a„) 
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and coming with a rule definition of the following form: 
rule R{x \, . . . , Xn) = body 

where body is a rule. R is called the rule name, Xi, . . . , are the formal pa- 
rameters of the rule definition. They bind the free occurrences of the variables 
xi, ... ^Xn in body . 

The basic intuition the practice of computing provides for the interpretation 
of a named rule is to define its semantics as the interpretation of the rule body 
with the formal parameters replaced by the actual arguments. In other words 
we unfold nested calls of a recursive rule R into a sequence i?i, i? 2 , ■ • • of rule 
incarnations where each Ri may trigger one more execution of the rule body, 
relegating the interpretation of possibly yet another call of R to the next in- 
carnation Ri+i. This may produce an infinite sequence, namely if there is no 
ordering of the procedure calls with respect to which the sequence will decrease 
and reach a basis for the recursion. In this case the semantics of the call of R is 
undefined. If however a basis for the recursion does exist, say Rn, it yields a well 
defined value for the semantics of R through the chain of successive calls of 
namely for each 0 < i < n with R = Rq, Ri inherits its semantics from Ri+\. 

Semantics: Let i? be a named rule declared by rule i?(xi, . . . , Xn) = body, let 

21 be a state. 

If \body[ai/ x\, . . . , an/a;„]]® is defined, then 
|i?(ai, . . . , a„)]® = lbody[ai/xi, ..., o„/a;„]]® 



For the rule definition rule R{x) = R{x) this interpretation yields no value for 
any |i?(a)p, see ^ Example 1, page 350]. In the following example the update 
set for R{x) is defined for all x < 10, with the empty set as update set, and is 
not defined for any a; > 10. 

rule R[x) = if a; < 10 then R{x + 1) 
if a; = 10 then skip 
if a; > 10 then R{x + 1) 

Example 3. (Defining while by a named rule) 

Named rules allow us to define the while loop recursively instead of iteratively: 

rule while{cond , R) = 
if cond then 

R seq while{cond, R) 

This recursively defined while operator behaves differently from the iteratively 
defined while of the preceding section in that it leads to termination only if the 
condition cond will become eventually false, and not in the case that eventually 
the update set of R becomes empty. For example the semantics of the recursively 
defined while{true, ship) is not defined. 
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Example 4. (Starting Java class initialization) 

We can define the Java class initialization of Example ^ also in terms of a recur- 
sive named rule, avoiding the local input variable to which the actual parameter 
is assigned at the beginning. 

rule initialize{c) = 

if initialized(superClass{c)) then 
createlnitPrame ( c) 
else 

createlnitPrame (c) seq initialize{superClass{c)) 

Remark: Iterated execution of (sub)machines J?, started in state 21, unavoidably 
leads to possibly undefined update sets As a consequence |i?]® = 15]® 

denotes that either both sides of the equation are undefined or both are defined 
and indeed have the same value. In the definitions above we adhered to an 
algorithmic definition of |i?|®, namely by computing its value from the computed 
values |5|® of the submachines S of R. In the appendix we give a deduction 
calculus for proving statements |5|® = u meaning that |5|® is defined and has 
value u. 

5 Further Concepts 

In this section we enrich named rules with a notion of local state, show how 
parameterized ASMs can be used as machines with return value, and introduce 
error handling for ASMs which is an abstraction of exception handling as found 
in modern programming languages. 

5.1 Local State 

Basic ASMs come with a notion of state in which all the dynamic functions are 
global. The use of only locally visible parts of the state, like variables declared 
in a class, can naturally be incorporated into named ASMs. It suffices to extend 
the definition of named rules by allowing some dynamic functions to be declared 
as local, meaning that each call of the rule works with its own incarnation of 
local dynamic functions / which are to be initialized upon rule invocation by an 
initialization rule Init{f). Syntactically we allow definitions of named rules of 
the following form: 

rule name{xi, . . . ,x„) = 

local 



local 

body 

where body and IniU are rules. The formal parameters x\, ... ,Xn bind the free 
occurrences of the corresponding variables in body and Initi. The functions 
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/i , . . . , /fc are treated as local functions whose scope is the rule where they are 
introduced. They are not part of the signature of the ASM. Initi is a rule used 
for the initialization of fi. We write local / ;= t for local /[/ := t]. 

For the semantic interpretation of a call of a rule with local dynamic func- 
tions, the updates to the local functions are collected together with all other 
function updates made through executing the body. This includes the updates 
required by the initialization rules. The restriction of the scope of the local 
functions to the rule definition is obtained by then removing from the update 
set It, which is available after the execution of the body of the call, the set 
Updates {f I , ■ ■ . ,fk) of updates concerning the local functions /i, ■ ■ ■ ,fk - This leads 
to the following definition. 

Semantics: Let i? be a rule declaration with local functions as given above. 

If the right side of the equation is defined, we set: 

lR{ai,... ,a„)p = 

{{{Initi , . . ,,Initk} seq body)[ai/xi, an/xn]f^ \ Updates{fi,. . . ,fk) 



We assume that there are no name clashes for local functions between different 
incarnations of the same rule (i.e. each rule incarnation has its own set of local 
dynamic functions). 

Example 5. (Usage of local dynamic functions) 

The use of local dynamic functions is illustrated by the following rule computing 
a function / defined by a primitive recursion from functions g and h which are 
used here as static functions. The rule mimics the corresponding Bohm-Jacopini 
machine in Proposition!^ 

rule F{x, y) = 
local ival := g{x) 
local rec := 0 

(while (rec < y) {ival := h{x, rec, ival), rec := rec + 1}) seq 
out := ival 

5.2 ASMs with Return Value 

In the preceding example, for outputting purposes the value resulting from the 
computation is stored in a global dynamic function out. This formulation violates 
good information hiding principles. To store the return value of a rule i? in a 
location which is determined by the rule caller and is independent of R, we use 
the following notation for a new rule: 

I •<— R{a\, . . . , On) 

where i? is a named rule with n parameters in which a 0-ary (say reserved) 
function result does occur with the intended role to store the return value. Let 
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rule . . . ,a;„) = body be the declaration for R, then the semantic of I ^ 

R{ai, . . . , On) is defined as the semantics of , a„) where Ri is defined 

like R with result replaced by 1: 

rule Ri{x\, . . . ,Xn) = hody[l / result] 

In the definition of the rule R by body, the function name result plays the role of 
a placeholder for a location, denoting the interface which is offered for communi- 
cating results from any rule execution to its caller. One can apply simultaneously 
two rules I <— R{a\, . . . , Un) and I' ^ R{a[, . . . , a'„) with different return values 
for I and I'. 

Remark: When using I ^ , a„) with a term I of form f{ti, . . . , tn), a 

good encapsulation discipline will take care that R does not modify the values 
of ti, because they contribute to determine the location where the caller expects 
to find the return value. 

Example 6. (Using return values) 

Using this notation the above Example^ becomes /(x, y) F{x, y) where more- 
over one can replace the use of the auxiliary static functions g,h hy calls to sub- 
machines G, H computing them, namely ival G{x) and ival •<— H(x, rec, ival). 



Example 7. (Recursive machine computing the factorial function, using mul- 
tiplication as static function.) 

rule Fac{n) = 
local X := 1 
if n = 1 then 
result := 1 
else 

(x ■<— Fac{n — 1)) seq result := n * x 



5.3 Error Handling 

Programming languages like C-|— I- or Java support exceptions to separate error 
handling from “normal” execution of code. Producing an inconsistent update set 
is an abstract form of throwing an exception. We therefore introduce a notion 
of catching an inconsistent update set and of executing error code. 

The semantics of try R catch /(h, . . . , t„) 5 is the update set of R if either 
this update set is consistent (“normal” execution) or it is inconsistent but the 
location loc determined by /(fi, . . . , f„) is not updated inconsistently. Otherwise 
it is the update set of S. 

Since the rule enclosed by the try block is executed either completely or not 
at all, there is no need for any finally clause to remove trash. 
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Semantics: Let R and S be rules, / a dynamic function with arguments 

ti,. . . ,tn- We define 

|try R catch /(ii, . . . , t„) 5]® = 

{ V, 3 vi ^ V2 '■ {loc, Vi) G u A {loc, V2) G u 

u, otherwise 

where u = |-R|® and v = | 5 ]® are the update sets of R and S respectively, and 
loc is the location /(|ti|^, . . . , |in]®)- 

6 Related Work 

The sequence operator defined by Zamulin in m differs from our concept for 
rules leading to inconsistent update sets where it is not associative, due to Za- 
mulin’s definition of the merge operator for update sets. For consistent update 
sets Zamulin’s loop constructor coincides with our while definition in Example 

m 

In Anlauff’s XASM j2j, calling an ASM is the iteration of a rule until a 
certain condition holds. 0 provides no formal definition of this concept, but 
for consistent update sets the XASM implementation seems to behave like our 
definition of iterate. 

Named rules with parameters appear in the ASM Workbench m and in 
XASM PI, but with parameters restricted to terms. The ASM Workbench does 
not allow recursive rules. Recursive ASMs have also been proposed by Gurevich 
and Spielmann HS|. Their aim was to justify recursive ASMs within distributed 
ASMs jI3|. If i? is a rule executed by agent a and has two recursive calls to R, 
then a creates two new agents ai and 02 which execute the two corresponding 
recursive calls. The agent a waits for termination of his slaves ai and 02 and then 
combines the result of both computations. This is different from our definition 
where executing a recursive call needs only one step, from the caller’s view, so 
that the justification remains within purely sequential ASMs without invoking 
concepts from distributed computing. Through our definition the distinction 
between suspension and reactivation tasks in the iterative implementation of 
recursion becomes a matter of choosing the black-box or the glass-box view for 
the recursion. The updates of a recursive call are collected and handed over to 
the calling machine as a whole to determine the state following in the black-box 
view the calling state. Only the glass-box view provides a refined inspection of 
how this collection is computed. 
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A Deduction Rules for Computing Update Sets 

The following rules provide a calculus for computing the semantics of standard 
ASMs and for the constructs introduced in this paper. 

We use R, Ri, and S for rules, / for functions, x for variables, s and t for 
expressions, p for predicates (boolean expressions), and u and v for semantical 
values and update sets. 



Standard ASMs 

V i : = Vi 






variahle{x) 



W® = C(U 

p]f = true®, = u 

|if t then R else b”]® = 

Plf = false®, |b]^ = u 

|/(ti, . . . , t„) := s]^ = {(/(ui, . . . ,u„), m)} [if t then R else Sjf = 



[skip]]® = 0 



Vz : Itilf = v^, [s]^ = u 



Mi : = 



|{bi, . . . , b„}]^ = Ml U . . . U 

V = {mi, . . . , v„}, V i : [b]^^ = Ui 

[forall X with p do i?]® = Mi U . . . U 

Mf, = true®, [bl® = M 

[choose X with p do i?]® = m 

[choose a; with p do i?]® = 0 ^ ^ 



Sequential Composition 

iRjf = M, = V 

|i? seq b]® = M © M 

Iteration 

iR^jf = u 



PI® = M, [bl®, = U 

[let a; = < in b]® = u 
V = {v\ [pl® = true®} 



I® 3 , = true® 



consistent (u) 



[bl® = M 

[b seq b]® = M 



inconsistent(u) 



[iterate(b)]? = u 



n > Q, inconsistent {u) 



[b”l® = M, = 0 

[iterate (b)]? = u 



n > 0, consistent(u) 
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Parameterized Rules with Local State 

Let R he a named rule as in Section o 

{{{Initi,. . .,Initk} seq body)[ai/xi , = u 
, fln)]® = u \ Updates{fi, ...Jk) 



Error Handling 

imf = u 

|try R catch /(ti, ...,t„)Sjf = u 
= u, |glf = u 

|try R catch /(<!, . . . , t„) 5]^ = v 



^Vi ^ V 2 ■ {loc, Ui) £ M A {loc, V 2 ) £ u 
where loc = f (ihlf {tnlf) 

3vi ^ V 2 '■ {loc, vi) G u A {loc, V 2 ) £ u 
where loc = f {{tilf , . . . , {tnlf) 



Remark: The second rule for choose reflects the decision in m that an ASM 
does nothing when there is no choice. Obviously also other decisions could be 
formalized in this manner, e.g. yielding instead of the empty set an update set 
which contains an error report. 



Remark: The rule for forall is formulated as flnitary rule, i.e. it can be applied 
only for quantifying over finite sets. The set theoretic formulation in Section 0 
is more general and can be formalized by an inflnitary rule. It would be quite 
interesting to study different classes of ASMs, corresponding to different flnitary 
or inflnitary versions of the forall construct. 
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Introduction 

Je cherche a construire une structure M eliminant rapidement les quanteurs: a 
toute formule existentielle (3y)(j){x,y), ou (j) est sans quanteurs, doit etre as- 
sociee une formule egalement libre de quanteurs, qui lui soit equivalente 

dans M, la longueur de ■0 etant polynomialement bornee en fonction de celle 
de 0; autrement dit, pour une certaine constante c, |0| < |00. Tant qu’a faire, 
j’aimerais aussi que 0 fut calculee par un algorithme polynomial a partir de 0. 

Pourquoi je veux faire ga? Parce que si c’etait vrai de la structure a deux 
elements M = {0, 1}, dans le langage reduit a I’egalite et aux deux constantes 0 
et 1 (ou meme a la seule relation x = 0!), eh bien on repondrait positivement a 
deux questions ouvertes en complexite, NC^ = P et P — NP, version uniforme 
ou non suivant que I’elimination serait algorithmique ou pas (que ga implique 
P = NC^ vient de ce que j’ecris les formules sous la forme usuelle, et non pas 
comme des circuits booleens). La meme chose se produirait si la structure etait 
finie, hormis le cas trivial d’une structure a un element que nous excluons, ou 
bien si son langage fini ne comportait que des relations et pas de fonctions (voir 
0 )- , 

Done, ce que je veux construire, e’est une structure ayant une propriety qui, si 
elle etait possedee par la structure a deux elements, provoquerait un cataclysme 
en Theorie de la Complexite! Comme vous le voyez, je m’exerce au passe-temps 
favori des complexionistes, qui consiste a ne demontrer des theoremes qu’apres 
les avoir transportes dans des contextes ou ils n’ont plus aucune signification. 
II est en effet tres improbable qu’une structure construite specialement pour 
repondre a cette question ait un quelconque enjeu algorithmique, si bien que 
I’interet du probleme ne reside que dans la plus ou moins grande difficulte de sa 
solution. 

Si on autorise un langage infini, il devient completement trivial: prenons 
un modele M de la theorie des ensembles, par exemple celui des ensembles 
hereditairement finis, forme des entiers naturels munis de I’appartenance d’Acker- 
mann, dite aussi relation des bits, s’il est permis de s’exprimer ainsi {x G y 
s’il y a un 1 a la place du developpement de y en base 2); la fonction qui 
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a {x^y) associe le couple {x,y) = {{a;}, {x, y}} permet de representer le uple 
{xi , . . . , Xn) comme la ’’liste” (xi, {x 2 , (• • • {x^, 0) • • •))); une fois identifies a cer- 
tains elements de M les symboles servant a I’ecriture des formules toute 

formule </>(a) a parametres a dans M se represente ainsi par un element “4>{ay’ 
de M, qu’en maths modernes, ou tout est ensemble, on considere comme </>(a) 
elle-meme plutot que comme un codage qui en respecte la taille. Nous con- 
siderons alors la structure dont I’univers est M, dans le langage comprenant 
(outre I’egalite) la constante 0, la fonction binaire (x,y), et une suite infinie 
de predicat unaires Vi, . . . ,Vn,Vn+i, ■ ■ ■ construite par recurrence, Vn+i etant 
I’ensemble des formules verifiees par M qui ne font intervenir que les n 
premiers predicats Vi, . . . ,Vn- la formule quel que soit son rang de quan- 
tification, est equivalente dans M a laquelle est sans quanteurs, 

et pratiquement de meme longueur que II y a aussi une maniere encore plus 
debile d’eliminer, la “morleysation” d’une quelconque structure, qui associe a 
chaque formule un nouveau symbole relationnel R^{x) (voir j0| p. 89). 

Si on veut que le probleme presente quelque difhculte, et par consequent 
quelqu’interet, il est indispensable de se limiter a un langage fini. II faut alors 
se garder des structures M trop riches en pouvoir d’auto-expression, comme 
I’appartenance entre ensembles, ou meme I’arithmetique, qui permettent de 
representer les formules par des elements de M et de les manipuler (ce que 
ne permet pas la fonction de couple a elle seule; mais rien ne nous empechait 
d’ajouter G a la structure ci-dessus), car un celebre resultat de Tarski nous as- 
sure qu’elles ne peuvent eliminer les quanteurs (I’ensemble des codes d’enonces 
III vrais n’est pas Si] voir ch. 7). D’autre part, au moins dans un premier 
temps, on essaye seulement d’eliminer un bloc de quanteurs existentiels, et pas 
un bloc de quanteurs alternant arbitrairement. 

Nous conservons cet idee de predicat de verite, et nous cherchons a construire 
M, structure de langage fini comportant un predicat unaire V{x), ayant la pro- 
priete qu’a toute formule existentielle {3y)cj>{x,y) soit associe un terme t^(x), 
de longueur moderee par rapport a celle de (f), de sorte que M satisfasse: 

(yx){3y)(j){x,y) o V{t^{x)). 

La difhculte vient bien sur de ce que la formule (libre) (j) mentionne le predicat 
V. On voit bien la tout I’artifice de la construction : il ne s’agit pas d’elaborer 
un algorithme pour verifier quelque chose dans le monde reel; on se donne au 
contraire I’algorithme a priori, et on construit une verite qui s’y adapte! (^a 
serait bien sur beaucoup plus interessant de montrer que certaines structures 
“naturelles” eliminent rapidement, ou bien lentement; mais il faut s’attendre a 
ce que les questions de ce genre soient plus ou moins equivalentes a des problemes 
de complexity standards m, ayant la reputation d’etre insolubles. 

Et meme cette reponse artificielle, je suis incapable de la donner entierement. 
Je vais seulement construire ici M satisfaisant: 

{yx){3y)(j){x,y) o- V{t^{x)) 

pour les formules existentielles ou il ne reste qu’une seule variable libre x. Cela 
vient de ce que j’ai besoin d’un contexte modele theorique facilement maitrisable. 
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et que je n’ai pas trouve mieux que de me limiter a des fonctions unaires, qui ne 
permettent pas la formation de termes en plusieurs variables. Et c’est deja assez 
complique comme ga! 

Nous examinerons en conclusion quelques proprietes algorithmiques de la 
structure construite, et nous explorerons une voie qui pourrait mener a la decou- 
verte d’une autre structure plus satisfaisante. Pour I’instant, place a la construc- 
tion! 



1 Deux successeurs 

Nous adoptons un langage L comprenant trois symboles de fonctions unaires 
So,Si,p, et un predicat unaire V. Les deux premieres fonctions sont appelees 
successeurs, et la troisieme predecesseur. Fixons-en des a present ^interpretation. 

Le modele de base S est I’algebre libre, dans le langage de deux fonctions 
unaires, engendree par un element r qu’on appellera sa racine; les elements de S 
s’ecrivent sous la forme 9{r), ou 9 est un terme en sq, si, 9 = Se^o ■■■ o Se^- 
La longueur m du terme 9 sera aussi appelee niveau de I’element 9(r), la racine 
r etant de niveau nul. Si 9{r) = 9'{r), c’est que les deux termes 9 et 9' sont 
identiques. S' a la forme d’un arbre binaire infini, compose de sa racine r, de ses 
deux successeurs so(r) et si(r), puis des quatre successeurs d’iceux so(so(^’))) 
so(si(^"))) si('So(?’)) et si(si(r)), et ainsi de suite. 

Le predecesseur est I’inverse des successeurs, c’est-a-dire que p(so(x)) = x, 
p{si{x)) = X, p{r) = r. 

Nous appelons bloc B une copie de S muni d’un quelconque predicat unaire 
Vb- Nous considerons la classe C des structures M, de langage L, formees de 
la juxtaposition de blocs qui se repetent chacun une infinite de fois: si B figure 
dans M, il s’y trouve aussi une infinite de blocs isomorphes a B. 

Les structures de C eliminent les quanteurs: c’est tres facile a voir par des 
methodes modele-theoriques impliquant la compacite. Mais nous, etant dans 
I’obligation de controler la taille des formules eliminantes, n’avons d’autre choix 
que de proceder peniblement a cette elimination. 

Si n est un entier, et x un element d’un bloc, nous appelons triangle de 
hauteur n et de racine x la formule caracterisant a I’isomorphie pres le morceau 
du bloc compose des elements qui sont situes au plus n niveaux au-dessus de 
X] c’est la conjonction des formules satisfaites par x, de la forme p{x) = x on 
p{x) yf X, V{x) ou ~'V{x), et V{y) ou ~'V{y) pour chaque y = Se^ose^o- ■ '°Se^(x), 
m < n. Le n-voisinage de x, c’est le triangle de racine p"(x) et de hauteur 2n. 

Lemma 1 (Lemme d’elimination). Considerons M dans C , une formule ex- 
istentielle (3y)4>{x,y), et I’entiern valant quatre fois le nombre total d’occurren- 
ces dans <j) des symboles Sq,Si et p. Alors, pour determiner si un element x de 
M satisfait cette formule, il suffit de connaitre le n-voisinage de x, et de savoir 
quels sont les n-triangles realises dans M . 

Nous appelerons portee de la formule 4> ce nombre n figurant dans I’enonce 
du lemme. 
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Demonstration 1. Nous commengons par mettre 4> sous forme disjonctive, ce 
qui fait exploser sa faille, mais pas celles des constituants: (j) s’ecrit comme 
une disjonction exponentielle de conjonctions ou figurent exactement une fois, 
sous forme positive ou negative, chacune des formules atomiques de </>: dans 
chaque conjonction figure le meme nombre w de symboles de fonction que dans 
(j). Comme le quanteur existentiel saute au-dessus de la disjonction, il suffit de 
traiter chacune de ces conjonctions 4>i{x,y). 

Les constituants de (pi{x,y) sont de la forme V{9{u)), -•V{9{v)), 9'{u) = 
9"{v), 9'{u) 9"{v), oh u et V designent des variables, distinctes ou confondues, 

prises dans le uple x^y, et ou 9, 9', 9" designent des termes du langage L, en 
So, Si et p. 

Nous dirons qu’une variable v prise dans y est a distance 1 de a: si il y a dans 
(j)i une equation 9'{v) = 9''{x)] qu’elle est a distance 2 de x si elle n’en est pas 
a distance 1, mais figure dans une equation 9'{v) = 9"{u), ou u est a distance 1 
de x; et plus generalement, on dit qu’une variable v est voisine de x si elle est 
reliee a cette derniere par une chaine d’equations figurant dans (j)i, sa distance a 
x etant la longueur minimale d’une telle chaine. 

Pour chaque voisine de x, nous faisons le choix d’une equation de (j)i qui la 
relie a x, ou bien a une variable strictement plus proche de x. Nous notons E la 
conjonction des equations choisies. 

Pour eliminer, on procede ainsi: on ecrit chaque equation 9' (v) = 9"{u) de E, 
dont V est la variable la plus lointaine, sous la forme v = 9{u); cela peut obliger 
a distinguer un nombre exponentiel de cas, s’exprimant par des conditions sur 
u, ce qui a pour influence d’enfler encore la disjonction, et d’ajouter quelques 
conditions a chacune des conjonctions. Par exemple, si I’equation est p{v) = u, il 
faut distinguer les trois cas u = p{u) = v, v = sq(u), v = si(u). Ce qui importe, 
c’est que la taille de E n’est pas affectee au cours du proces, et que dans les 
conditions ajoutees les termes n’ont pas une longueur superieure a oj. 

Quand on a fini, le systeme E permet d’exprimer chaque voisine v de x comme 
un terme en une variable plus proche; comme le nombre total de symboles de 
fonction de E est majore par oj, v se met par composition sous la forme v = r]{x) 
ou le terme rj est de longueur au plus to. On substitue alors partout les variables 
voisines de x par leur valeur, ce qui ne produit que des termes de longueur 
majoree par 2to. 

Quand on a ainsi elimine les voisines de x, chaque systeme 'ip{x, y) obtenu 
est forme de trois parties: 

— une conjonction 'ipo(x) de conditions portant sur des termes en x de longueur 
inferieure a 2w; 

— une conjonction tpi{x,y) d’inequations 9'(x) yf 9"{y); 

— une conjonction ip 2 {y) de conditions portant sur des variables qui n’ont pas 
ete touchees par I’elimination, et qui etaient toutes presentes a I’origine: dans 

il n’y a pas plus de to occurrences de fonctions. 

De plus, I’hypothese de repetition des blocs nous permet de jeter 'tpx] en effet, 
(3y)^/>(x,y) equivaut a V’o(a^) A i3y)'tp2{y), puisque s’il existe des y dans M 
satisfaisant ip 2 , il en existe dont aucun element ne soit dans le bloc de x. 
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On choisit alors une variable dans y par rapport a laquelle on applique le 
meme precede. A la fin on obtient une decomposition de la formule originelle 
en une monstrueuse disjonction de formules du type (j)o{x) A {3yi)4>i{yi) A • • • A 
(^y 7 n) 4 >m{ym)', comme tons les termes qui y figurent ont leur longueur majoree 
par 2uj, leur satisfaction ne depend que de ce qui est indique dans I’enonce du 
lemme. Fin 

Remarques 

1. Ce n’est pas ici qu’il est essentiel que x soit un element et non un uple; 

I’elimination fonctionne aussi bien pour un uple. 

2. Ehud Hrushovski m’a suggere d’employer des fonctions-successeurs dans ce 

contexte, et Farzad Didehvar a contribue a I’elimination. 

2 Le predicat de verite 

Nous choisissons maintenant le terme t^. Les habitants de la ville de Sour, 
an sud du Liban, ont invente il y a quelques 45 siecles un systeme tres pra- 
tique de representation graphique de la parole comportant seulement 22 signes, 
qu’ils ont appele alphabet, et qu’un citoyen americain a reduit bien plus tard a 
deux symboles. Cela nous permet d’ecrire une formule (j) comme un mot binaire 
(ei, . . . , Cm), Ci = 0 on 1. Nous demandons que la longueur de ce mot vaille an 
moins 72, et soit aussi superieure on egale a 24n, on n = 4u; est I’entier qui a 
ete appele portee de (j), et qui figure dans le lemme d’elimination. Vu la presence 
des parentheses, la traduction en Morse et la correlation entre la portee et le 
nombre de symboles de la formule, ga ne demande pas beaucoup de bourrage! 

Par ailleurs, pour nous faciliter la vie, nous demandons aussi qu’il y ait un sig- 
nal de debut de formule: toute formule commence par 00, et on n’y trouve ensuite 
plus jamais deux 0 consecutifs. J’aurais pu simplifier legerement la presentation 
en introduisant un troisieme successeur, specialise dans le role de caractere de 
debut de formule: comme ce n’etait pas decisif, j’en ai fait I’economie. 

Cela etant convenu, a, 4> = (ei,...,em) nous associons tout simplement le 
terme o • • • o . 

Nous dirons qu’un element y d’une structure dans C est contraint s’il est 
de la forme y = oil (p est une formule, et qu’il est libre sinon. Si y est 

contraint, il ne I’est que d’une seule maniere: si t^{x) = t^{x'), alors (p = tp, 
et X = x' , puisque, pour trouver la formule qui contraint eventuellement y, on 
en remonte les predecesseurs jusqu’a ce qu’on trouve deux 0 consecutifs. Ce 
n’est d’ailleurs pas la que le signal de debut s’impose, puisque les parentheses, 
garantes de la non ambigu'ite de lecture, interdisent a une formule d’etre segment 
final d’une autre. Son utilite veritable, c’est de forcer les formules qui passent 
par y, a I’exception de celles qui concernent son predecesseur (dans le cas oil 
y = so{p{y))), de concerner toutes un meme element. 

On voit la necessite d’au moins deux successeurs, non seulement pour avoir 
une longueur raisonnable pour le terme r^, mais aussi pour la non ambiguite de 
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la lecture des formules: il est clair que des confusions du genre T(f,{x) = t^{x') 
handicaperaient lourdement la construction du predicat de verite. 

Ce predicat V est construit niveau par niveau a partir du bas. Pour ce qui 
est des points libres du niveau en construction, on met toutes les possibilites 
d’appartenance et de non appartenance a V , ce qui conduit a demultiplier ce qui 
a deja ete construit en plusieurs blocs; c’est ainsi qu’au debut, jusqu’au niveau 
71, il n’y a que des points libres, si bien qu’on trouve au bas des divers blocs des 
copies de tons les triangles de hauteur 71 possibles. 

Par contre, quand il s’agit de placer dans V ou dans -<V un point de la forme 
T^{x), Oil X est au moins 24n niveaux en dessous, nous devons faire un pari 
sur I’avenir, c’est-a-dire anticiper de la satisfaction, ou de la non-satisfaction, 
de la formule {3y)(j)(x,y) par I’element x dans la structure en cours de con- 
struction. Nous connaissons le n-voisinage de x, obtenu aux niveaux anterieurs, 
mais I’information qui nous manque, c’est de savoir quel sont les n-triangles 
qu’on trouvera dans la structure quand la construction en sera achevee. Nous 
faisons comme si nous les avions tous deja obtenus, plus precisement, nous 
faisons I’hypothese qu’il n’y aura pas d’autres n-triangles presents dans cette 
structure que ceux qui y ont ete obtenus en dessous du niveau 24n (pour n > 1; 
les formules de portee nulle ne posent pas de problemes, car les quatre trian- 
gles possibles de hauteur 0 sont tous obtenus aux niveaux 0 ou 1). D’apres le 
lemme d’elimination, cette hypothese nous permet de definir une strategie pour 
determiner la satisfaction de (3y)<j){x,y): si c’est oui, on met t^{x) dans V, et 
sinon en dehors. Quand on a fini, on demultiplie tous les blocs de la structure 
obtenue. 

3 L’art de faire des hypotheses 

C’est bien beau de faire des hypotheses, a condition qu’elles se verifient. Pour 
que la verite devinee corresponde a la verite vraie, nous devons montrer que le 
modele M obtenu satisfait a I’hypothese qui a ete faite lors de sa construction, a 
savoir que tout triangle de hauteur n > 1 qui s’y trouve y a une copie isomorphe 
situee toute entiere en-dessous du niveau 24n. C’est une consequence du lemme 
suivant, puisque 6n -I- n < 24n < 24(n -I- 1). 

Lemma 2 (Lemme de descente). Soil x dans M de niveau strictement supe- 
rieur d 6n; alors Us existe x' dans M , de niveau au plus 6n, tel que: 

1. le triangle de racine x' , et montant jusqu’au niveau 24 (n -I- 1) — 1, est iso- 
morphe d celui de meme hauteur et de racine x 

2. le chemin obtenu en prenant les predecesseurs de x' passe par si{r), et non 
pas par so(r), ou r est la racine du bloc de x' ; il est isomorphe au chemin 
de longueur correspondante partant de x (c’est-d-dire que si si(r) = 

c’est le meme terme qui exprime x' en fonction de p‘^{x') et x en function 
de p’^lyx) ). 




Une tentative malheureuse . . . 



67 



Demonstration 2. Par induction sur n. Pour n < 2, on pent remplir comme on 
vent le triangle au-dessus de x' = Si(r) tant qu’on reste en dessous du niveau 
72, puisque tons les points y sont libres. 

Soit done n > 3, et soit m la partie entiere de n/3: 3m < n < 3(m + 1). 
Comme 1 < m < n, I’hypothese d’induction s’applique a m. 

Soit done x dans M, de niveau superieur a 6n. Nous voulons choisir x' , de 
niveau an plus 6n, tel que le triangle au-dessus de x' se soit rempli lors de la 
construction de M de la meme fagon que le triangle au-dessus de x, cela jusqu’a 
ce qu’on atteigne le niveau 24(n -I- 1) — 1. Les points libres au-dessus de x' ne 
nous generont pas, puisque nous avons eu la possibilite de les remplir comme 
on I’a voulu. Quant au points contraints, comme nous restons en dessous du 
niveau 24(n -|- 1), ils correspondent a des formules (j) de portee au plus n: par 
la construction meme de M, si deux points m et u de M ont des n-voisinages 
isomorphes, et si le premier satisfait V{t^{u)), I’autre aussi, et reciproquement. 

Nous devons tenir compte des points contraints au-dessus de x; certains con- 
cernent le predecesseur de x, ou bien x lui-meme, ou encore des elements au- 
dessus de X. Si on ne rencontre que ceux-la, il suffira que le n-voisinage de p{x') 
soit choisi isomorphe a celui de p{x), celui de x' isomorphe a celui de x, et celui 
d’un point v', situe moins de n niveaux au-dessus de x' , isomorphe a celui du 
point V correspondant situe au-dessus de x; en effet, comme les points situes plus 
haut dans les triangles ont leur n-voisinage entierement situe au-dessus de x et 
x' , le triangle au-dessus de x' se remplira ensuite de maniere isomorphe a celui 
au-dessus de x. 

Mais il est aussi possible que x soit sur le trajet de formules beaucoup plus 
longues, correspondant toutes a un unique element u, le premier que I’on ren- 
contre apres un double 0 quand on chemine le long des predecesseurs de x. Dans 
ce cas, nous dirons que x a une queue - le chemin qui joint x a u - et il faudra 
aussi nous soucier de reproduire le n-voisinage de u. 

Nous distinguons deux cas : 

1. X n’a pas de queue, ou bien a une queue de longueur strictement superieure 

a n -I- 6m. Dans ce cas on choisit y' de niveau au plus 3m associe par la 
m-ieme etape du lemme h y = Soit x' I’element correspondant a x. 

Comme 12m -I- n -I- 1 -I- 2n < 24(m -I- 1), p{x) et p{x') ont des n-voisinages 
isomorphes, ainsi que x et x', et aussi les points v et v' situes moins de n 
niveaux au-dessus; par ailleurs x' n’a pas de queue (on la lui a coupee), de 
sorte que les points eventuellement contraints par la longue queue de x sont 
maintenant libres, et qu’on pent les mettre dans V ou dans -'V ad libitum, 
si bien qu’il y a une fagon de faire qui donne le meme triangle au-dessus de 
x' qu’au-dessus de x, tant qu’on reste en-dessous du niveau 24(n -I- 1). 

2. X a, une queue de longueur inferieure ou egale a n -I- 6m. Dans ce cas-la, 
nous devons reproduire les n-voisinages de x, de p{x), des points w, mais 
aussi du point u qui est au bout de la queue, et pour cela il nous suffit de 
reproduire grace a I’hypothese de recurrence le triangle de racine p"(n) et de 
hauteur n -I- 6m -I- n -I- 2n en-dessous du niveau 24(m -I- 1): ga marche parce 
que 12m -I- 4n < 24(m -I- 1). 
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Nous avons recopie x en x' & un niveau majore par 6 m+n+ 1 dans le premier 
cas, 12m + 2n dans le second. II ne reste plus qu’a observer que 2n + 12m < 6 n. 
Fin 

Remarque. Quand le lapin blanc est sorti du chapeau, on aime bien connaitre 
le true. Cette demonstration depend de trois parametres A,BetC'.on demande 
que la longueur des formules soit au moins An] on cherche a reproduire les racines 
des triangles de hauteur n en dessous du niveau Bn; pour le pas de recurrence, 
on divise n par C, ce qui demande AC comme longueur minimum de formule. 
On pose m = \ n/C\ , et on coupe les queues a n + Bm] le premier cas demande 
que Bm + n+l + 2n < A{m + 1), le second que 2Bm + 4n < A{m + 1), et la 
conclusion que 2Bm + 2n < Bn. Cela donne 2B + 2C < A, 2BjC + 2 < B, soit 
encore, pour C > 2, B > 2CjC — 2,A> AC{C — Vj/C — 2; le minimum pour A 
est atteint en C = 2 + \/2, et vaut 12 + 8\/2. J’ai choisi les parametres (7 = 3, 
B — A = 24, valeur tres proche du minimum; d’autres choix raisonnables sont 
(7 = 4, i? = 4, A = 24, ou (7 = 6, R = 3, ^ = 30. Les grandes valeurs de (7 - et 
de ^ ! - font tendre au contraire B vers sa borne inferieure. 

Conclusion 

Si on ajoute au langage de M une constante r nommant une racine (p{r) = r), 
on obtient une structure qui a un algorithme de decision rapide pour ses enonces 
existentiels, puisque (3y)(f>{r,y) est vrai si et seulement si V{r^(r)) I’est: pour 
voir si I’enonce est vrai, on calcule T^{r) et on teste s’il satisfait VI C’est peut-etre 
pas bien convaincant comme exemple, puiqu’il s’agit d’un “algorithme” au sens 
de la structure M, ou, suivant les conventions de P ou 0 , ou plus generalement 
de la Complexite Algebrique, on considere par definition comme algorithmique 
revaluation d’une formule (et meme d’un circuit) fibre de quanteurs. Je ne crois 
pas beaucoup ameliorer mon cas en faisant observer que le probleme analogue 
pour la structure {0, 1} est iVP-complet. 

Cependant, on pourra poser 0 = So(r) et 1 = Si(r) pour respecter les conven- 
tions de [ 7 ]; comme un enonce n’est rien d’autre qu’un objet syntaxique, la pro- 
priety decrite au paragraphe ci-dessus s’interprete ainsi: tout probleme booleen 
qui est NP bm sens de M est P au sens de M! II est tres facile de construire des 
structures ou n’importe quel probleme booleen est P grace a I’intervention d’un 
parametre approprie (voir les “dictionnaires” de P, mais dans le cas present, il 
n’est nul besoin d’ajouter des parametres pour transformer un algorithme NP 
en un algorithme P ayant meme effet sur des donnees booleennes: je ne connais 
pas de methode de construction plus simple pour obtenir cette propriety. 

On observe aussi que la formule R(t 0 (x)) est horriblement syquentielle, alors 
que j’ai annoncy dans I’introduction un contrepoint a NC^ = PI Cela vient de ce 
que, puisqu’il y a des fonctions, il n’est plus possible de paraliyiiser les formules, 
si bien que la connection entre “formules ycrites sous forme traditionnelle” et 
“circuits de profondeur logarithmique” est perdue! 

Je conjecture que notre modele M n’yiimine plus rapidement des qu’il reste 
deux variables fibres: la candidate a une yiimination difficile, c’est la formule 
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existentielle en les deux variables libres x et x' qui exprime le fait qu’il existe 
Cl, . . . , tels que soient verifiees . . . , et -iF(sej^, . . . , Sg„(a:')); elle 

s’ecrit: 

((yi = so(a^) A zi = so(a;')) V (j/i = si(a;) A zi = si(a;'))) A • • • A 

{{y^+l = SoiVi) A Zi+i = So{zi)) V (yi+i = Si{yi) A z^+i = Si(zi))) A • • • A 

V{yn) A -iF(z„). 

II est probable qu’on ne puisse decider de la veracite de cette formule sans 
faire dans les pires cas beaucoup de tests, c’est-a-dire, selon les mots de |3, qu’il 
n’y ait pas d’arbres de decision de profondeur polynomiale pour les problemes 
NP au sens de M . Je pense done que M satisfait P ^ NP, et meme P yf NBP. 
Pour en avoir le coeur net, il faudrait examiner le probleme suivant: soit Bq un 
bloc de M dont tons les points libres sont hors de P; si je perturbe sa construction 
en mettant un certain point libre dans V , quels sont les points contraints qui 
vont etre touches? Combien y en aura-t’il a un niveau donne? 

Comme nous I’avons dit, la faiblesse de la methode vient de ce qu’elle n’utilise 
que des fonctions unaires. Pour eliminer rapidement les quanteurs sans restriction 
sur X, la tentation est de coller un predicat de verite sur la fonction-couple de 
la Theorie des Ensembles, qui n’est autre qu’une algebre libre, a une infinite de 
generateurs, dans le langage d’une function binaire (e’est un exemple d’algebre de 
Malcev). C’est cette methode qui a donne facilement dans 0 p. 188 un exemple 
de structure ou P = NBP; mais ga risque d’etre beaucoup plus dur quand on 
est en presence de quanteurs veritables, car si la theorie de I’algebre de Malcev 
elle-meme est facilement controlable |2j, elle devient sauvage quand on lui ajoute 
un predicat unaire arbitraire, puisque I’arite unaire n’est pas plus simple qu’une 
autre en presence d’une bijection entre I’univers et son carre cartesien! 

Ce dont nous avons profite, c’est que la theorie des modeles pour deux suc- 
cesseurs est non seulement absolument triviale, mais qu’elle le reste si on intro- 
duit des predicats unaires a peu pres arbitraires. C’est ga qui nous a permis de 
prevoir le comportement final de I’objet que nous etions en train de constru- 
ire. Dans cette nouvelle situation infiniment plus complexe, il nous faudrait une 
classe de predicats qui restent sous controle quand on les plaque sur la fonction- 
couple, tout en laissant assez de liberte de choix pour pouvoir representer la 
verite. (^a n’a pas I’air si simple, et je n’ai pas de candidat; d’un autre cote, je 
ne vois aucune raison metaphysique qui interdise I’existence d’une telle struc- 
ture, et je suis etonne de n’avoir jamais rencontre dans mes lectures de tentative 
d’en fabriquer une: vu la celebrite des resultats de Godel et de Tarski, affir- 
mant I’impossibilite de definir les enonces prouvables ou les enonces vrais, il 
est surprenant de constater que personne n’ait voulu, par la construction de 
contre-exemples, en delimiter precisement le cadre de validite. 

L’ideal, ga serait d’exhiber t^{x) de longueur logarithmique, et de construire 
V tel que {3y)(j){x,y) equivaille a V{tc/){x)). 

On pourrait aussi chercher a eliminer en suivant de tout autres principes, par 
exemple en determinant un y, s’il en existe, parmi ceux qui satisfont 4>{x, y) (a ce 
propos, la question 1 au bas de la p. 181 de 0 est completement stupide, puisque 
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dans un corps fini toute fonction est polynome; comme le montre le lemme 
d’elimination, on a egalement des fonctions de Skolem decrites par des termes 
dans le langage de un on plusieurs successeurs, augmente du selecteur et de la 
fonction caracteristique de I’egalite; mais le probleme est celui de la complexite 
du uple de termes associe a la formule </>), ou bien en decrivant une bonne raison 
expliquant si oui ou non il y a un y qui satisfait ^(a;, y). Ce serait quelque chose 
qui ressemblerait d’avantage a I’idee qu’on se fait d’un algorithme d’elimination 
que la simple consultation d’un oracle miraculeux. II est aussi possible que ce 
que j’ai fait ici soit nai'vement complique, et que certaines structures tres simples 
et bien connues eliminent de toute evidence et a une vitesse foudroyante; mais 
j’en doute. 
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As researchers in rigorous methods we are interested in the challenge of build- 
ing and maintaining software systems on a massive scale. Our methods must work 
for real-world systems with hundreds or thousands of components that interact 
in complex ways. 

To this end, Microsoft Research has recently developed a new specification 
language called ASML. It is based on Abstract State Machines and tailored to 
inter-operate with Microsoft runtime environments and languages. 

Specifications written in ASML are executable. They expose the same inter- 
faces as the actual implementation, and are packaged as programs or libraries. 
Accordingly, ASML can be integrated into Microsoft runtime environments and 
inter-operate with other other languages. Developers can use them from within 
Microsoft’s Visual Studio integrated development environment, and specifica- 
tion writers can include ASML in other project-related documents, such as those 
stored as Microsoft Word files or HTML. The compiler extracts the ASML source 
from the text document to execute the model. 

In this way ASML can be used to: 

— Explore user scenarios interactively from within a test harness. 

— Explore the proposed functionality in a live environment. 

— Check the implementation against the specification. 

In this abstract, I will only describe the last of these, namely, how to use 
ASML as part of the development process to check that specifications and their 
corresponding implementations agree. 

When an implementation becomes available, it can be run in parallel with 
its executable specification. This involves a new kind of runtime check: we test 
the implementation’s externally visible behavior over time against the behav- 
ior embodied in the ASML specification. This kind of runtime checking has 
the advantage over other approaches in being able to detect errors without in- 
strumenting the components being tested. Even with no access to component 
internals, we can monitor the sequence of external component interactions, the 
arguments passed and the values returned. If any of the assumptions of the de- 
sign are inconsistent with the observed behavior, a runtime assertion failure will 
occur, and the developer will receive contextual information about the run. Sim- 
ilarly, if the specification is in error, it will cause false runtime assertion failures. 
This provides a way of ensuring that specifications are always current. 
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Abstract. We prove for the logic CPTime (the logic from the title) a sufficient 
condition for two models to be equivalent for any set of sentences which is “small” 
(certainly any finite set ), parallel to the Ehrenfeucht Frai'sse games. This enables 

us to show that sentences cannot express some properties in the logic CPTime 
and prove 0-1 laws for it. 
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Annotated Content 

§0 Introduction 

§1 The Choiceless Polynomial Time Logic Presented 

[We present this logic from a paper of Blass, Gurevich, Shelah [BGSh 
533]; where the intention is to phrase a logic expressing exactly the prop- 
erties which you can compute from a model in polynomial time without 
making arbitrary choices (like ordering the model).] 

§2 The General Systems of Partial Isomorphisms 

[We define a criterion for showing that the logic cannot say too compli- 
cated things on some models using a family of partial automorphisms 
(not just real automorphisms) and prove that it works. This is a relative 
of the Ehrenfeucht-Fraisse games, and the more recent pebble games.] 

§3 The Canonical Example 

[We deal with random enough graphs and conclude that they satisfy the 

0-1 law for the logic CPTime thereby proving the logic cannot express 
too strong properties.] 

§4 Relating the Definitions in [BGSh 533] to the Ones Here 

[We show that the definition in [BGSh 533] and the case t = 7 here are 
essentially the same (i.e. we can translate at the cost of only in small 
increases in time and space).] 

§5 Closing Comments 

[We present a variant of the criterion (the existence of a simple fc-system) . 
We then define a logic which naturally expresses it. We comment on 
defining Nt[M] for ordinals.] 
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§0 Introduction 

We deal here with choiceless polynomial time logic, introduced under the name 

CPTime in Blass Gurevich Shelah [BGSh 533]; actually we deal with several 
versions. Knowledge of [BGSh 533], which is phrased with ASM (abstract state 
machine) , is not required except when we explain in §4 how the definitions here 
and there fit. See there more on background, in particular, on ASM-s and 
logic capturing P Time. The aim of this logic is to capture statements on a 
(finite) model M computable in polynomial time and space without arbitrary 
choices. So we are not allowed to choose a linear order on M, but if P is a unary 
predicate from the vocabulary tm of M and has < log 2 (llMjj) elements 
then we are allowed to “create” the family of all subsets of P^ , and if e.g. 
(|pM|)! ^ |]Mjj we can create the family permutations of P^ . Note that a 

statement of the form CPTime captures what can be computed in polynomial 
time without arbitrary choices” is a thesis not a theorem. For a given model M, 
we consider the elements of M as urelements, and build inductively Nt = Nt\M], 
with Nq = M^Nt+i C Nt[M] U l3^{Nt[M]) but the definition is uniform and the 
size of Nt[M] should not be too large, with the major case being: it has a 
polynomial bound. 

So we should have a specific guide T telling us how to create Nt+i from Nt, 
hence we should actually write Nt[M,T], In the simplest version (we called it 
pure) essentially T = {tpe{x, y) : £ < mo} and Nt is a transitive finite set with M 
the set of urelements, Nq = M, Nt+i = NtU {{a : Nt \= &)} : 6 G ^^^^^Nt) 

and £ < mo}; where each ipi is a first order formula in the vocabulary of M 
plus the membership relation G, (i.e. tm U {g},) and Nt has the relations of 
M and the relation G \ Nt. We stop when Nt = W+i, in the “nice” cases after 
polynomial time and space, and then can ask “N ^ y”? getting yes or no. 

We consider several versions of the definition of the logic; this should help 
us to see “what is the true logic capturing polynomially computable statements 
without making arbitrary choices”. 

Our aim here is to deal with finite models and processes, but we dedicate a 
separate place at the end to some remarks on infinitary ones and set theory. We 
also comment in this section on classical model theoretic roots; both, of course, 
can be ignored. 

For a logic .jSf it is important to develop methods to analyze what it can say. 
Usual applications of such methods are to prove that: 

(а) no sentence in .if expresses some property (which another given logic can 
express so we can prove that they are really different) 

(б) certain pairs of models are equivalent 
(c) zero-one laws. 

For first order logic we use mostly elimination of quantifiers, E.F. (Ehrenfeucht- 
Frai'sse ) games (see [GK] or [Ho93] or Ebbinghaus and Flum [EbF195]) and 
others; we are most interested in relatives of E.F. games. In finite model theory 
people have worked on the logic (usually denoted by of first order 
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formulas in which every subformula has < k free variables, a relative of the -La,k 
logics (see e.g. [Di]). We can use even such formulas in Lqo.w but for equivalence 
of finite models this does not matter. For Lqo.k the relatives of E.F. games are 
called pebble games (see [EbF195]). 

The E.F. criterion (see Karp [Ka]) for the Loo ,w-equi valence of two models 
Ml , M 2 of the same vocabulary r is the existence of a non-empty family ^ of 
partial one-to-one functions from Mi to M 2 such that for every f G G {1, 2} 
and a G Mi there is g G ^ extending / such that i = 1 ^ a G Dom(g) 
and i = 2 ^ a G Rang((/) (a particular case is M = N; there, of course, 
M,N are equivalent but the question is when are (M,a),{M,b) equivalent). 
Note that for finite models and even for countable models, this criterion implies 
isomorphism. But if we restrict ourselves to first order sentences of quantifier 
depth < k we can replace ^ by : £ < k) and above we say that for every 
/ G ^e+i,j G {1,2}, a G Mj there is g G as there (this is the original E.F. 
game). For Loo,fe this does not work but without loss of generality, f G ^ Sz 
A C Dom(/) ^ f \ A G and above we restrict ourselves to f G with 
|Dom(/)| < k. Now probably the simplest models are those with equality only: 
so every permutation of the (universe of the) model is an automorphism. So 

using this group it is proved in [BGSh 533] that CPTime cannot say much on 

such models, thus showing that the CPTime does not capture P Time logic, in 
fact odd/even is not captured. 

But in our case suppose we are given a family of partial isomorphisms 
from Ml to M 2 , we have to create such a family for Nt[Mi, T], Nt[M 2 , Tj. 

We answer here some questions of [BGSh 533]: get a 0-1 law, show that CPTime 
-|- counting does not capture P Time. 

Note that if P^ is small enough then we can have e.g. Per(P^), the group 
of permutations of P^ , as a member of Nt = Nt[M, T] for t large enough: just 
in Nst we may have the set of partial permutations of P^ of cardinality < t. 
We thank Yuri Gurevich and Andreas Blass for helpful comments. 

Notation : 

1) Natural numbers are denoted by i,j,k,£,m,n,r,s,t. We identify a natural 
number t with {s:s<t|soO = 0 and we may allow t = 00 = the set of natural 
numbers (w for set theorists). Let [m] = (1, . . . , mj. 

2) Let r denote a vocabulary, i.e. a set of predicates P (each predicate with 
a given arity n(P)); we may also have function symbols, but then it is natural 
to interpret them as partial functions, so better to treat them as relations and 
avoid function symbols. We may attach to each predicate P G r a group gp 
permutations of {0, . . . , n(P) — 1} telling under what permutations of its argu- 
ment places the predicate P is supposed to be preserved; if not specified gp is a 
trivial group. 

3) Let P,Q,R denote predicate symbols. 

4) Formulas are denoted by (p,ip,9,x', usually 0,\ are sentences. 

5) Let .if denote a logic and A£{t) denote the resulting language, the set of Af- 
formulas in the vocabulary t. 

6) Let M,N denote models and let tm = r(M) denote the vocabulary of M 
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and let denote the interpretation of the predicate P G tm- So P^ is a 

relation on M with arity n(P) and if = gp is not trivial and a € gp, (a£ : 
^ < n(P)) € then {at. I < n(P)) G P^ {aa(t) '■ ^ < n(P)) G P^ . 

Models are finite if not said otherwise. 

7) Let \M\ be the universe (= set of elements) of M and ||M|| the cardinality of 
\M\, but abusing notation we may say “of M”. 

8) Let t, s denote functions from the set of natural numbers to the set of natural 
numbers > 1 and let T denote a family of such functions. We may write t(M) 
instead of t(||M||). 

9) For a function / and a set A let /”(^) = {f(x) ■. x G A and x G Dom(/)}. 
[Why do we not write f{A)7 Because / may act both on A and on its elements; 
this occurs for functions like G{f), defined and investigated is §2.] 

0.1 Discussion : Would we really like to allow t(M) to depend not just on ||M||? 
For the definition of the logic we have no problems, also for the criteria of equiva- 
lence of Ml, M 2 (except saying ||Mi|| = ||Mi|| & ti = t 2 ti(Mi) = t 2 (M 2 )). 
But this is crucial in proving a weak version of the 0-1 law, say for random 
graphs, to overcome this we need to “compensate” with more assumptions. 



§1 The Choiceless Polynomial Time Logic Presented 

Here we present the logic. How does we “compute” when a model M satisfies a 
“sentence” 91 Note that the computation should not take too long and use too 
much “space” (in the “main” case: polynomial). 

Informally, we start with a model M with each element an atom=ure-element, 
we successively define Nt[M] and Nj^[M], an expansion of Nt[M],t running on 
the stages of the “computation”; to get Nt+i[M] from Nt[M] we add few families 
of subsets of Nt, each family for some f/' consist of those defined by a formula 
for some a from Nt[M], and we update few relations or functions, by 
defining them from those of the previous stage. Those are Pt^t for I < toi. We 
may then check if a target condition holds, then we stop getting an answer: 
the model satisfies 9 or fails by checking if some sentence x holds; the natural 
target condition is when we stop to change. Note that each stage increases the 
size of Nt[M] by at most a (fixed) power, however in ||M|| steps we may have 
constructed a model of size but this is against our intentions. So we shall 
have a function t in ||M||, normally polynomial, whose role is that when we have 
wasted too much resources (e.g. ||7Vt[M]|| -|- t) we should stop the computation 
even if the target condition has not occurred, in this case we still have to decide 
what to do. 

This involves some parameters. First a logic ^ telling us which formulas are 
allowable 

(a) in the inductive step (the 'ipt{—,y) — s) 

(b) in stating “the target condition” (we use standard ones: or 

Po = P 2 or Co = C 2 ) and the x telling us if the answer is yes or no. 
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Second, a family T of functions t (with domain the family of finite models) which 
tell us when we should stop having arrived to the limit of allowable resources 
(clearly the normal family T is {tj, : k < to} where tfc(M) = ||M||^). So for T 
which describes the induction step (essentially how to get Nt+i[M] from Nt[M]), 
X telling us the answer and t G T we have a sentence Or,x,t- We still have some 
variants, getting a logic for each l G {1, 2, 3, 4, 5, 6, 7, 11, 22}. 

In the case t = 1 we ignore t, so M ^ ^T,x,t iff for some t < oo the target 
condition holds, or let t = oo and for this t,x is satisfied by N^. 

This is a very smooth definition, but we have lost our main goal. We may restrict 
ourselves to “good” sentences for which we always stop in “reasonable” time and 
space. 

In the case i = 2, possibly we stop because of t before the target condition 
holds; in this case we say “6*x,x,t is undefined for M”. The case t = 3 is like 
i = 2 but we restrict ourselves to the so called “standard T”, where in Nt[M] 
we have the natural numbers < t, so we can ignore the “time” as a resource as 
always ||A^i[M]|| > t. The case t = 4, is like t = 3 but instead stopping when 
||iVt[M]|| is too large, we stop when at least one of the families of sets added to 
Nt[M] to form Nt+i[M] is too large. For r = 5, is like the case t = 2, but an 
additional reason for stopping is t > t(||M||). The case 6 = 6 is as the case t = 2 
separating the bounds on “space” (that is ||iVt[M]||) and “time” (that is t), the 
case i = 7 is similar, not stopping for iV+ = The cases t = ll,i = 22 

are like i = l,i = 2 respectively, but using T,t] (see Definition 1.1(c)) 

instead Nt[M,T] but for i = 22 we separate t to two functions. 

We treat as our main case r = 3, see more 1.7. 

More formally 

1.1 Definition. 1) We are given a model M, with vocabulary r = T[o],t finite 
and G not in r, let r+ = T[i] = tU{g}. Considering the elements of M as atoms 
= urelements, we define Vt[M] by induction of t : Vb[A7] = Gf M) and 
clearly with G f M being empty (as we consider the members of M as atoms = 
“urelements”). Next V)+i[M] is the model with universe Vt[M]U{a : a C 
(by our assumption on “urelements” we have a C lt[M] a ^ M) with the 
predicates and individual constants and function symbols of r interpreted as in 
M (so function symbols in r are always interpreted as partial functions) and 

gVi+i[M] jg ^lVt+i[M]. 

2 ) 

(A) We say T = {-ip, tp, P) is an inductive scheme for the logic Aff,o. or 
the language .iff.o.(T) (where ACf,o. is first order logic) if: letting toq = 
ig{'tp),mi = ig{ip) and T[ 2 ] = T[ 2 ][T] = T[i] U {Pk : k < mi} we have 

(a) P = {Pk : k < mi) is a sequence (with no repetitions) of predicates 
and function symbols not in T[i] (notationally we treat an n-place 
function symbol as (n+ l)-predicate); where Pk is an m^(Pfc)-place 
predicate. Let m}" be the function giving this information and 
whether Pk is a predicate or a function symbol (so have domain 
{0,...,mi - 1}) 
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(6) ^ = {ijji : I < mo),ip(, = 'ipe{x;ye) is first order in the vocabulary 

T[2], 

(c) (p = {(fik ■ k < mi), (fik = p>k{xk) is first order in the vocabulary T 2 
with ^g{x) = m(Pfc), moreover x = {xi : i < m(Pfc)). 

{B) We say T is simple if 

{d) each Pk is unary predicate and and each ipk{x) appears among the 
'ipi’s (with empty yi) and for every hereditary model N* C 'V^[M], 
and a T[ 2 ] -expansion 7V+ of N* we have {a : N~^ |= is a 

member of N* or is 0 

(C) We may write m J , mj , ipj , , m J , LpJ , ipj , Pj . We let 

(D) We say T is predicative if each Pk is a predicate; we may restrict ourselves 
to this case for the general theorems. We say T is pure if mi = 0 

(E) T is monotonic if y G x is ipi for some £ < mj (this will cause Nt below 

to grow); no big loss if we restrict ourselves to such T. It is strongly 
monotonic if in addition each ipk(x) has the form Pk(x) V (this will 

cause also each P^ to grow) 

(F) T is i.c. if each Pk is (informally an individual constants scheme) a zero 
place function symbol; in this case if Pk is well defined we may write it 
as Cfe. 

3) For M,t = T[o] , T[i] , T[ 2 ] , and T = {ip,(p,P) as above, we shall define by 
induction on t a submodel Nt = Nt[M\ of Vt[M] and Pt = {Pt,k '■ k < mi) 
and N))^[M] and (for i < mo) as follows; more exactly we are defining 

Nt[M,T],Pt^k[M,T] for k < mi, 3^t,k[M,T] for k < mg. 

We let N+[M,T] = {Nt[M,T], Pt,o[M,T], . . . , Pt,^^_i[M,T]). 

Case 1: t = 0 : Nt[M] = Vo[fo^] and Pt^k = 0 (an m^(fc)-place relation). 

Case 2: t + 1 : Nt+i[M] is the submodel of Vt+i[M] with set of elements the 
transitive closure of M U 3^t,e[M] where we define £^t,k[^] and Pt+i,e by: 

£<mo 






|{a G Nt[M] : N+[M] h Ma,b)} : b G 
Pt,k = {a G ”('=)(lVt[M]) : N+[M] h 



but if Pk is a function symbol, 

Pt,£ = {d^{b) G Nt[M] : N^[M] ^ (pe{d,b) & (3ly)(pi{d,y)} 
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(so if T is simple, then for t > 1, tpk{x,y) € -2f,o.('^[2]) is actually € 

Case 3 : t = oo 

Nt=\jNs,Pt,k=\JPs,k- 

S<.t S<t 

3A) If in addition t G T and T is monotonic (see part (2) clause (E)) we define 
Nt[M, T, t],Pt^i[M, T, t] and ^t,e[M, T, t] as in part (3) except that the universe 
of T,t] is the transitive closure of M U [M, T, t] : i < mo and 

,t] has at most t(||M||) members}. 

4) We say T is standard if some 'ijji guarantees that t C Nt[M] (so a natural 
number s belongs to Nt[M] iff s < t; remember that we identify the natural 
number t with the set {0, 1, . . . , t — 1}). 

5) Let q.d.(i^) be the quantifier depth of the formula tp. 

6) We may replace above first order logic by another logic We let ^f,o. denote 
first order, .ifcard is defined just like first order logic except that we demand that 
T is standard and defining inductively what is a formula, we allow the formation 
of formulas the form |{x : 9{x,y)}\ = s. We let .ifcard.x (on T see below) be 
defined just like Jiff.o. but for each t G T we allow the quantifier {Qtx)(p{x,y) 
with 

N \= {Qtx)(fi{x,a) iff t(|ure(iV)|) < |{5 : iV 1= (/?(6, a]}|, 
where ure(A^) is the set of urelements of N. 

6A) Lastly, let -Sff,o,+na be like jSff.o. but we add one atomic formula |atoms| = x 
being interpreted as: the number of atoms is x. So this can be expressed in 
-^card.T where T = {id},id(n) = n. 



1.2 Remark. Alternatively to ^card: have a quantifier 

{Q'''^xi,X2){‘P2{xi,yi),ip2{x2, m)), 
which says that |{x : ip 2 {x,yi)}\ = |{a; : ip 2 {x,y 2 )}\- 

In the definition below the reader can concentrate on i = 3. The “t >2 & ...” 
is not a serious matter. 

1.3 Definition. Let T be a set of functions t : N — >■ NU {ooj and .if* be a logic 
(.iff.o. or .iff o,+na or -Sfcard usually) and let t be a vocabulary. If t is constantly 
oo we may write oo. 

We define for i. = 1,2,3,4,5,6,7,11,22 the logic below. For all of 

those logics the set of sentences for a vocabulary r called .iff [.if* ] (r) is a subset 
of 0 = 0T- = 0T-[.if*,T] = {0T,x,t : T an inductive scheme for J§f*(T),x G 
.if*(r) and t G Tj, (equal if not said otherwise). Also for most of those logics 
we define the stopping time tjM, T,t] or tjM, T] (if t does not matter). The 
satisfaction relation for .iff [.if*] (r) is denoted by \=i,. Also we write 9r,x instead 
if t does not matter. (We may let Dom(t) be the set of relevant structures, 
see 0.1). 




80 S. Shelah 



Case 1 : 6=1. 

We let 

t,[M, T] = Min{t : t > 2 and N+[M, T] = N+^^[M, T]}. 

(If there is no such t G N we let it be oo (i.e., co for set theorists) and we could 
also have used “undefined”; note that t does not appear). 

M h. 0T.X iff N+[M, T] h X for t = C[M, T]. 

Case 2 : 6 = 2. 

We let tjM,T,t] = Min{t : || [M, T] || + (t + 1) > t(||M||) or t > 2 & 
lV+[M,T] = iV+jM,T]}and 

(а) if for t = C[M, T,t] we have t > 2 k, N^[M,T] = N^-^[M,T] then 

is true or false in M iff N^[M,T] \= X fV+[M,T] h -X re- 
spectively and we write M \=^ 6*x.x,t or M \=^ =0T,x.t respectively, (so 
“■^T.x.t is equivalent to 6*x,-,x,t)- 

(б) if C[M, T,t] = t(||M||) -I- 1 we say “M \=^ ^x.x.t is undefined” and we 
say “the truth value of 6*x,x,t in M is undefined” . 

Case 3 : 6 = 3. 

As in Case 2 but we restrict ourselves to standard T, see Definition 1.1(4), and 
let C[M,T,t] = Min{t : ||A^t+i[M, T]|| > t(||M||) or t > 2 & iV+[M,T] = 
[M, T]} and define as in Case 2. 

Case 4 : 6 = 4. 

As in Case 2 but we restrict ourselves to standard T and let: 

C[M, T,t] = Min{t :for some k < mo the set ^^t+i,k[M,T] 
has > t(||M||) members or 
t>2 k fV+[M,T] = 7V+i[M,T]} 

(so it can be oo; but by a choice of e.g. (po we can guarantee ^t,o = {Oj • ■ • , ^ — 1} 
so that this never happens) and define \=c, as in Case 2. 

Case 5 : 6 = 5. 

As in Case 2 but we restrict ourselves to standard T and tjM, T,t] = Min{t : 
t > t(||M||) or for some k < mo the set ^t+i,k[M,T] has > t(||M||) members 
OT t > 2 & fV+[M, T] = fV+.i[M, T,t]}. 

Case 6 : 6 = 6. 

As in the case 6 = 2 but 



C[M,T,t] = Min{t : t > t*™(||M||) or \\Nt[M,T]\\ > CP(||M||) 

oriV+[M,T] = A+JM,T]} 
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where 



t*™(n) = t(2n),t®P(n) = t(2n + 1) 

and, of course, tm, sp stand for time and space, respectively. So we may replace t 
by two functions t*™, t®P and write sentences as Or,x,t'.t" (similarly for l = 7, 22). 

Case 7 : t = 7. 

We define tJM,T,t] = Min{t : t > t*“(||M||) or > t®P(||M||) or 

>2 & 1V+[M,T] = 1V4JM,T]} 

and let: 

M h. iff Nt[M,T] h X for t = C[M,T]. 



(so unlike cases 2-6, the truth value is always defined) 

Case 11 : l = 11. 

As in the case l = 1, but we use Nt[M,T ,t], Pf[M,T ,t] (see Definition 
1.1(3A)). 

Case 22 : l = 22. 

As in the case t = 2, but we use A”t[M, T,t’"'^],.Pt[M, T,t’"‘^] where t'"'^ G T 
is defined by f"‘^(n) = t(2n) (wd for width) and define by 



C[M,T,t] =Min{t :A^t+i[M,T,t'"‘i] + (t+l) >t“(||M||) or 

t>2 & iV+[M,T,t"'‘^] = Af4jM,T,t'^'^]} 



where (ht for height) 

fht g 'j' jg defined by t^*^(n) = t(2n + 1). 

We may write instead of t. 

7-4 Remark. Alternatively: 

Case 10 + t : For i = 1, . . . , 7. 

Like the case t but we use Nt[M,T ,t], Pt[M,T ,t] and let tio+t = t^. 

Case 20 -|- l : l= 1, . . . , 7. 

As in the cases t = 1,...,7, but we use 7Vt[M, T,t'^‘^],Pt[M, where 

fwd g T is defined by t(n) = t(2n) (wd for width) and we replace t by 
t*'*,t^*(n) = t(2n -I- 1), where for x = tm,sp we derive from t*'* the functions 

,ht,x _ /.ht'ia: 

*'20+1, ~ A > ■ 
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1.5 Definition. 1) In Definition 1.3 we say “Or,x,t is i-good” when: for every 
finite model M one of the following occurs: 

(а) i = 1 and tjM, T] < oo 

(б) i G {2, 3, 4, 5, 6, 7} and in the definition of tjM, T,t] always the last 
possibility occurs and not any of the previous ones 

(c) i = 11 as in the case 6=1 using Nt[M, T,t], Pt[M, T,t] 

(d) 6 = 22, as for 6 = 2 using Nt[M, T, T, t]. 

2) Let ^ be the logic restricted to 6-good sentences. 

3) If in dx,x,t omit x we mean Pt^ = the set of atoms. 

4) We say that M \=^ (^r,x,t is in a good way if this case of part (1) holds 

1.6 Remark. We can replace in cases 6 = 2,3,4 clause (b), the statement [M, T] 

= by a sentence xi- 

1.7 Discussion : 0) Note that considering several versions should help to see how 
canonical is our logic. 

1) The most smooth variant for our purpose is 6 = 4, and the most natural 

choice is = .ifcard or = Lcard.T, but we are not less interested in the 
choice = .^to.+na- From considering the motivation the most 

natural T is {n™ : m < w}, and 6 = 3. 

2) For e.g. 6 = 1,2,3 some properties of M can be “incidentally” expressed by 
the logic, as the stopping time gives us some information concerning cardinality. 
For example let F" be a complicated set of natural numbers, e.g. non-recursive, 
and let t* G T be: t(||M||) is ||M|| -F 10 if ||M|| G Y and t(||M||) = ||M|| -F 6 if 
||M|| ^ Y . We can easily find 6 = 6*x,x,f> with T a standard induction scheme 
such that it stops exactly for t = 8 and x saying nothing (or if you like saying 
that there are 8 natural numbers). Clearly for 6 = 2, 3 we have M 

if ||M|| G Y and “not M |=t 0x,x,t*” if \\M\\ ^ Y. Of course, more generally, 
we could first compute some natural number from M and then compare it with 
t(||M||). This suggests preferring the option 1=^ undefined in clause (b) of case 
2, Definition 1.3 rather than false. 

3) If you like set theory, you can let t be any ordinal; but this is a side issue 
here; see end of §5. 

Implicit in 1.3 (and an alternative to 1.3) is (note: an (M, T (-candidate {N,P) 
is what looks like a possible Nt[M,T] and a (T,t)-successor of it is what looks 
like iVi+i[M,T]): 

1.8 Definition. Let M, T as in Definition 1.3 be given. 

1) We say {N,P) is an M-candidate or (M, T (-candidate if: 

(a) N is a finite transitive submodel of Vt [M] which includes M, expanded 

t 

by the relations of M (so it is a (tm) [ i]-niodel) 
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( 6 ) P = {Pk : k < mi),Pk an m^(fc)-relation on or a partial (m^(fc) — 

l)-place function on N when is a predicate or a function symbol 
respectively. 

In fact here the only information from T used is of T, so we may write 
“(M, mf )-candidate” . 

2) We say {N',P') is the (T,t)-successor of {N,P) if {N' , P') , {N , P) satisfies 

what T, t], 7\y [M, T, t] satisfies in Definition 1.1(3A), so 

|A^'| = is the transitive closure of M U C Tl') t], 

£<mi 

where Ai = ApN, T,t] is P^i[N,T] = {{a : {N,c) |= 6)} : b € if 

this family has < t(M) members or is equal to N and is empty otherwise. 
2A) We say {N', P) is the T-successor of {N, P) if (A', P'), (N, P) satisfies what 
T], N^[M,T] satisfies in Definition 1.1(3); this means just that {N',P') 
is the (T, oo)-successor of {N,P). 

2B) If T is pure (i.e. mj = 0), actually only ■ip'^ count and we may replace T 
by 

2C) We say that (N,P) is a (M, T)+-candidate if it is an (M, T)-candidate and 
the sets 0, \M\ (= set of atoms) belongs to N. 

3) We define Nt = Nt[M, T, t] and Pt = Pt[M, T, t] by induction on t as follows: 

for t = 0 it is M (i.e. with Pt ^ = 0), 

for t + 1, {Nt+i, Pt+i) is the (T, t)~successor of {Nt, Pt), see below 1.9, 
for t = oo we take the union. 



1.9 Claim. 1) If {N,P) is an {M,T) -candidate, it has exactly one (T,t)- 
successor (and exactly one T-successor). 

2) The pair (iVt[Af, T, oo], Pt[M, T, oo]) defined in Definition 1.8(3), is equal to 
the pair {Nt[M,T], Pt[M,T]) defined in Definition 1.1(3). 

3) If T is monotonic, {N' , P') the T-successor of{N, P) where both are (M, T) + - 
candidates, then N C N' ; ifT is also standard then N C N' . 

4) IfT is strongly monotonic (see Definition 1.1(2)(E)) and {N',P') is the T- 

successor of{N,P) both are {M,T)'^ -candidates, then N C N' and Pi C P( for 
I < . 



There are many obvious inclusions between the variants of logics by natural 
translations. We mention the following claim which tells us that there is no real 
harm if we restrict ourselves to pure T’s. 

1.10 Claim. 1) Assume the T is an inductive scheme in <^{.o.{t~^)tX ® sen- 
tence in J^{,o.{t^). Then we can find a pure inductive scheme T* in .iff.o.(r“'') 
and r*,r** and p* and sentences 9* ,x\ and formulas (p*{x),Lp).{xk) for k < 
mj ,£g{xi) = np-{k) in T^f.o.ir) such that: 
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Kl for every r-model and t we have, if t* = r** + r*t then : 

(а) the set Nt[M,T] is {a G Nt4M,T*] : Nt4M,T*] ^ 

(б) Pt.fe[M,T] = {a G ™(iVt.[M,T*]) : Nt.[M,T*] h vl[d]}, where 
m = m^(fc), 

(c) Nt[M,T]^ X X* , 

(d) N+[M,T] = iV+ JM,T] (i.e. it stops) iff Nt.[M,T*] ^ 9* iff 
Nt.[M,T*] = Nt.+i[M,T*], 

(e) Nf[M,T*] has exactly p* {\\Nt[M,T]\\) elements, and Nf+r[M,T*] 
has < p*{\\Nt[M, T]||) when r < r* and p* an integer polynomial, 

(/) */TT is standard then so is T* . 



2) Similarly using a logic .2* if it is closed under first order operations and 
substitutions. 



Remark. We can similarly deal with Nt\M, T,t], but then we have to deal with 
some form of cardinality quantifiers, etc. 



Proof. For simplicity we assume that T is standard. Now for every 
candidate {N,P) we shall define a M-candidate N* = py We shall have 

The set of natural numbers of N* is {s : s < r** + r*t}. The universe of N* 
is the union of the following sets: 



(a) N 

(b) {{a;, r*t} : x G N} 

(used to define N), 

let ax,k,m ='■ {x, r*t + 1 + /c, r*t + 1 + mj + m} for x G N,k < mj ,m < 
nff{k) 

(used to help to code Pt^k) 

(c) {{ax„,fc,m : m < m^(A:)} U {r*t + 1 + fc, r*t + 1 + mj + i} : 

k < ml ,xo, . . . , G N and i G {0, 1} and 

i = 1 {x^ : m G xnff{k)) G Pt,k} 

(d) some more elements to take care of the 

“ Nf[M,T*] has exactly p*(||Ni[M,T]||) elements ” 

(if we agree to Nf [M, T*] has exactly p{\\Nt[M, T*], t||) then this is not 
necessary) . 



The rest should be clear. 



Di.io 



We try to sort out some of the relations between these logics by checking when 
two variants of a sentence say related things, for quite many ii, i 2 - 




Choiceless Polynomial Time Logic: Inability to Express 85 



1.11 Claim. Let li,L 2 G {1, . . . , 7} and 9t = Or^xdi ^ for ^ = 1, 2 

and consider 

(a) O 2 is i 2 -good implies 9i is Li-good, 

{(3) for every (finite) t - model M, {M ^2) 1=^ 9\), 

{(3)~ if 9i is in-good for i = 1,2 then M 6*2 M 9\. 

In the following clauses we list cases which holds under various conditions. 

(A) (a) + {(}) if ii = i 2 and ti < t2, 

(B) {a) + (/3) ^ = 2, i2 = 3, T is standard and ti > 2t2, 

(C) (a) + (/3) ii = 3, i2 = 2, T is standard and ti > t2, 

{D){a) + {(3) 61 = 4, i2 = 3, T is standard and ti > t2, 

{E){a) + {!3)~ if ti = 3, i2 = 4, T is standard and ti is large enough, 

(F) (a) + (/3) if Li = 5, i2 = 3, T is standard and ti > t2, 

(G) (q;)+(/ 3) if 61 = 3, 62 = 5, T is standard and (fJ n)\t\{n) > n+mjt2(n)t2(n)], 

(iJ)(a) + (/?)“ if ii = l,i2 = 2, 

{I){a) + {(3)~ if 61 = 2, i2 = 1 and ti is large enough, 

(i.e. ti(n) > Max{it2 [A7) TTj 42] : M a r-model 
with universe [n] and T,t2] < 00}/ note that 

Max is taken on a finite set) 

( J) (of) + (/3) if ti = 6, i2 = 2 and ti(2n) > t2(n), ti(2n + 1) > l 2 {n), 

(K) {a) + (/3) if ti = 2, t2 = 6 and t2 > ti(2n) + ti(2n + 1), 

{L){a) + (/3) if ii = 7, t2 = 6 and ti > t2 

(note: after “good” stopping, nothing changes) ti is large 

enough 

Proof. Straightforward. 

1.12 Conclusion. 1) Assume that T satisfies 

(*) (Vs G T)(Vm)(3t G T)(Vn)(t(n) > n + m(s(n))^). 

Then the logics for l = 2,3,4, 5, 6 are weakly equivalent where 

are weakly equivalent if <wk ^ and <wk where <wk -2^ 
means that for every sentence 9^ G there is 9^ G such that for every M 
we have^ M \= 9i implies M \= 92 

2) If in addition T consists of integer polynomials and G {j§ff.o.+na, -^card} 
we can add l = 7. 

1.13 Remark. In part 1.12(2) we can replace the assumption on t demanding 
only that: 



^Note that if teh truth value of 9i in M is undefined, then the implication is trivial. 
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(*) for every t G T view t as (t*™,t®P) there is s G T such that we can 
“compute” t‘™(n), t®P(n) is s‘™(n) time, s®P(n) space in the relevant 
sense (using the given etc.). 

1.14 Claim. The family of good sentences in the logic ), that is the 

logic is closed under the following: the Boolean operation, (3a;), 

and substitution (that is, up to equivalence) when at least one of the following 
holds 

(*)i L=\ 

(*)2 G {2,3,5} andT satisfies (*) of 1.12 

(*)g i. = 11 

(*)4 L = 22 and for each t G T,T[t"'‘^] =: : s G satisfies 

(*) of 1.12. 



Proof. Straight. 



§2 The General Systems of Partial Isomorphisms 

Though usually our aim is to compare two models M\ , M 2 we first concentrate 
on one model M; this, of course, gives shorter definitions. 

Our aim is to have a family .^of partial automorphisms as in Ehrenfeucht-Frai'sse 
games (actually Karp), of the model M we analyze, not total automorphism 
which is too restrictive. But this family has to be lifted to the Nfis. Hence 
their domains (and ranges) may and should sometimes contain an element of 
high rank. It is natural to extend each / G to Gfif), a partial automorphism 
of Nt. So we should not lose anything when we get up on t. The solution is 
I C {A : A C M} closed downward and (could have used : i < mi)), 
a family of partial automorphisms of M. So every a; G A} will have a support 
H G / and for f G its action on A determines its action on x, (Gt{f){x) in this 
section notation). It is not unreasonable to demand that there is the smallest 
support, still this demand is somewhat restrictive (or we have to add imaginary 
elements as in [Sh:a] or [Sh:c], not a very appetizing choice here). 

But how come we in stage t+1 succeed to add “all sets X = X^fi' definable by 
'ipi{x, b) for some sequence b G Let m be such that b = ( 61 , ... , bm). 

The parameters b\, . . . ,bm each has a support say Hi, ... , Am resp., all in 
/; so when we have enough mappings in the family the new set has in 

m 

some sense the support H = (^ A^, in the sense that suitable partial mappings 

act as expected. So if y G Nt has support B {BRy in this section notation), 
f G AU B C Dom(/) and f \ A = id^i, then the mapping Gt{f) which / 
induces in Nt will satisfy y G X^ i (G(/))(y) G ATj 5 . 

But we are not allowed to increase the family of possible supports and A though 
a kind of support is probably too large: in general, I is not closed under unions. 
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But, if we add X = j, we have to add all “similar” X' = Xf,y. Recall that 
necessarily our strategy is to look for a support A' € I for Xg ^. So we like to find 
A' G I which is a support of X, that is such that that A f G AaA' C Dom(/), 
then / [■ A induces a mapping of X^ ^ to some X^ ^ , which when f f A' = 
idyl', satisfies that X^y will be equal to ^ thus justifying the statement 

“A' supports X.” How? We use our bound on the size of the computation. 
So we need a dichotomy : either there is A' G I as above or the number of sets 
Xgy defined by ipi{x,b') varying b' is too large!! 

On this dichotomy hangs the proof. 

However, we do not like to state this as a condition on Ng but rather on M. 
We do not “know” how ipi{x,b') will act but for any possible this induces 
an equivalence relation on the set of images of Al (for this ^ has to be large 
enough) . 

Actually, we can ignore the '^ts and develop set theory of elements demanding 
each has a support in 1 through Now we break the proof to definition and 
claims. 

We consider several variants of the logic: the usual variant to make preserva- 
tion clear, and the case with the cardinality quantifier. We use one ^ but we 
could have used : £ < fc'); in this case actually, for much of the treatment 
only would count. The relevant basic family of partial automorphisms is 
defined in 2.1. Note that the case with cardinality logic, with a stronger as- 
sumption is clearer, if you like to concentrate on it, ignore 2.1(4) and read in 
Definition 2.3 only part (1), ignore 2.9 but read 2.10, ignore 2.17, 2.20 but read 
2.18, ignore 2.22, 2.24 but read 2.23. 

2.1 The Main Definition. 

1) We say AlA = (M, is a fc-system if 

(A) / is a non empty family of subsets of |M| (the universe of the model M) 
closed under subsets and each singleton belongs to it 

[hint: intended as the possible supports of elements Nt[M,T] and as first approxi- 
mation to the possible supports of the partial automorphisms of M, where M is the 

model of course; the intention is that M is a finite model] 
m 

Let I[m] =: {\^ Ag : Ag G I ior ^ = 1, . . . , m\ 

1=1 

(B) is a non empty family of partial automorphisms of M such that / G 

k AC Dom(/) & Ag I ^ r{A) G I (recall /”(A) = {/(x) : 
X G AC\ Dom(/)}; is closed under inverse (i.e. f G ^ f~^ G 
and composition and restriction (hence, together with (D) clearly B G 
I[k] ids G ^ 

(C) if f G ^ then Dom(/) is the union of < fc members of / 

(D) if f G ^ and Ag , . . . , Ak-i,Ak G I and £ G {1, . . . , fc — 1} Ag C 

Dom(/), then for some g G ^ we have 

fc-i 

f\{jAgCg 

i=l 
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Ak C Dom(5) 

2) Assume is a /c-system and B € I[m],m < k — 2 and A G I 

(a) let H^B, A) = {g G ^ : Dom(g) A B\J A and ids Q g} 

{(3) £’^B,A) is the family of equivalence relations E on H^B,A) such 
that: 

(*) if gi,g 2 , 93,94 & H^B,A) and / G ^satisfies ids C f,g'\{A) U 
9 ” 2 {A) C Dom(/) and 53 A fo{g^ f {BUA)),g 4 D fo{g 2 f (BUA) 
then 9 iEg 2 ^ 93 E 94 . 

(this tells you in particular that only g f A matter for determining g/ E) 

3) 

(a) Let Eli rn = be the family of functions h from [m] = {1, • . • ,to} 

to Seq/ = {a : a list with no repetitions some A G I; we can look at a 
as a one-to-one function from [0,^50) onto A}; of course for / G and 
a,b G Seq/ the meaning of /(a) = & is £g{a) = ig{b) and /(oi) = 6/ for 
i < £g{a). Let Seq/^zi = {a G Seq/ : Rang(a) = A}. For m = 1 we may 
identify h : [m] -G Seq/ with so 7J/ 1 is identified with Seq/. 

{(3) for h G iL/,m and / G ^such that [J Rang(/i(/)) C Dom(/) we define 

iG[m] 

h' = f*h as the following function: Dom(/i') = [m] and h'{i) = f o{h{i)) 

( 7 ) let 2r -I- s < fc; for R G I[s] and 1 < m < r let ^ ^ be the 

following 2-place relation on {h : h : [m] — >■ Seq/}: 

iff for some f G 3^, ids C / and /12 = / * hi. 

If R = 0 we may omit it; similarly to = 1 

(5) for 2to + s < k and R G I[s] let (oi^miB) = ^^^(0) be the family of 
equivalence relations such that for some h* G Hj^m, E is an equivalence 
relation on the set {h G R/,m : hEj ^^h*} which satisfies: 

(*) if hi, /i 2 , hz, hi G Hi^rn, / G ids C /, /i 2 = / * hi, hi = f * hs 
and lJ{Rang(/ii(/)) URang(hi(i)) : i G [to]} C Dom(/), 
then hiEh^ = /12R/14. 

If R = 0 we may omit it. If to = 1 we may omit it. 



4) We say that a fc-system (M, is (t, r)-dichotomical^ when 

Kl if I < TO < r and E G then (/3)i V {(3)2 where 

{(3) I there is A G / which satisfies: 

if hi,h 2 G Hi^ra, f G id/1 C / and h 2 = f * hi then hiEh 2 
{( 3)2 the number of R-equivalence classes is > t(||M||). 



^Note that this is how from “there are not too many” we get “there is a support in 7” 
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If we omit r (and write t-dichotomical) we mean r = [A:/2], k > 3. 

Note that in parts (3), (4) without loss of generality is one-to-one. 

* * * 

2.2 Remark. 1) However, if we shall deal with ^ = ^card or .if = Lcard.T 
we naturally have to require that / G preserve more. Whereas the (t,r)- 
dichotomy is used to show that either we try to add too many sets to some 

T] or we have support, Hw “counting (fc, r)-system” assure us that the 
lifting of / preserves the counting quantifier, and the medium (t, r)-dichotomy 
will be used in the maximal successor, see 2.24. 

2) It causes no harm real in 2 . 1 ( 3 )( 7 ), (<5) and similarly later, to restrict our- 
selves to e.g. r -I- s < fc/100, k > 400. 

2.3 Definition. 1) We say '3^= is a counting (or super) (/c, r)-system 

if: 

l^is a fc-system and 

(*)i Assume that 0 < m < r and for £ = 1,2 we have Be G I[m] and 

Ee G Sr^.^{Be). li f G f maps B\ onto B 2 and / maps Ei to E^ (see 

2.4(1)), thOT |Dom(Ai)/Ai| = |Dom(A 2 )/A 2 |. 

(This should be good for analyzing the model T,t]). If we omit r (write 

counting fc-system) we mean r = fc — 2,/c>3. 

2) We say that the fc-system 3£ = {M, I, £p) is medium (t, k, r)-system if 

(*)2 Assume that 1 < m < r and for £ = 1,2 we have Be G I[m] and 

Ee G Sr^.^(Be). li f G f maps B\ onto B 2 and / maps E\ to E 2 (see 

2.4), then |Dom(Ai)/ifi| = |Dom(Ai)/if 2 | or both are > t(||M||). 

3) We omit rifr = /c — 2>1 (see 2.8 below). 

Note that 2.4 is closed to 2.8 and 2.7(2)-(4). 

2.4 Observation. Let 3^ = is a fc-system. 

1 ) 

(a) if 2m + s < k and B G /[s], then E^^ is an equivalence relation 
satisfying (*) of Definition 2.1(3)((5) 

( 3 ) the following two conditions on H G /[s] ,m<(k — s)/ 2 ,s<k and if are 
equivalent: 

(i) i^is an equivalence class of Ej ^ ^ 

(ii) Sfis the domain of some E G (^i,m{B) 

( 7 ) if k* = 2m + s < k and #* = {f \ A : f G A G I[k*]}, and 

3^^ = (M, /, #*) then is a fc*-system and for each B G /[s] we have 

(B) = Saer, (B) and = E° 

> 'ey*, in'- > 3£.B,m 3'GB.m 
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(6) if Bi,B 2 G I[k — 2], f G ^, / maps Bi onto B 2 and g[,g" G Seq/, 
Rang(g^) U Rang(gy C Dom(/), then g'^=: f o g[ belongs to Seq/ and 
92 = f ° 9i belongs to Seq/ and ^ 52-6^/,/?2,i52 

(er) If Bi G I[k — 2],A2 € I, f € Bi C Dom(/),i ?2 = /”(^i), then we 
can define ^ ^/,i(^ 2 ) for E G <§/p(Ri) (the image of E by 

/) by: if / r Ri C g G ^, 01,02 G Seq/,g maps oi to a* and g maps 0,2 
to 02 then aiEa 2 

2) Let 2r + s < fc, 

(5), (e), parallely to part (1) with m < r,hi G Hi^rn, Be G I[s]. 

Proof. Straight, e.g.: 

Part fl), Clause (a) : We use: ^contains id// wherever C G I[k] (for refiexivity), 
closed under inverting (for symmetry) and is closed under composition (for 
transitivity). 

02.4 

2.5 Discussion 1) In the system we deal only with partial au- 
tomorphisms of M, we need to lift them to the models T] or actually 

N+[M,T] or N^[M, T,t] appearing in Definition 1.3; this motivates the follow- 
ing definition 2.6. (We more generally define liftings to (M, T)-candidates). 

2) Note that here probably it is more natural if in the definition of fc-system 
we replace the relations “/ C g” ^“f = g \ A” ,“f^g f A” on ^ by abstract 
ones (so ^ will be an index set). Also in Definition 2.6 we could demand more 
properties which naturally holds (similarly in Definition 2.13, e.g. if you satisfy 
the properties of “a set B is 3-support of x” you are one) . 

2.6 Definition. 1) Let W = be an fc-system, M a r-model, T is an 

inductive scheme for j2*(t“*') and mi = mj. 

We say that 3 = {N, P, G, R) = , P^ ,G^ , R^) is a T-lifting or mi-lifting 

of ^if 

(а) {N,P) is an (M, mi)-candidate so N is a transitive submodel of set 
theory i.e. of V"oo[Af] with M as its set of urelements and the relations 
of M (see Definition 1.4(1)) 

(б) G is a function with domain 
(c) for / G 

(a) G(/) is a function with domain C iV, / C G(/), moreover / = 
G(/) r M and 

{(3) G{f) is a partial automorphism of N 

{d) HfG^,gG.^,fQg then G(/) C G(s) 

(e) i? is a two-place relation written xRy such that 
xRy =>xG / & y G N 
[we say: x is a 3-support of y] 
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(/) 

(a) if ARy and f & A C Dom(/), then 

y G Dom(G(/)) and f \ A= id^ ^ G{f){y) = y 

{(3) if f £ ^ and y G Dom(G(/)) (hence y £ N) then some a 3-support 
of y is included in Dom(/) 

(g) {yy£N){3A£l)ARy 

[i.e. every element of N has a 3-support] 

(h) ii A£ I and A C Dom(f),y G Dom(G(/)) then 
ARy ^ nA)R{Gif){y)) 

(i) for f £ we have G(/“^) = (G(/))“^ 

(j) for /i, /2 G / = /2 o /i we have^ G(/) C G(/ 2 ) o G(/i) 

(fc) if a G ™i^^^(Dom(/)) and f £ and /(a) is well defined, then a £ = 

f{a) £ pfo moreover 0Rc£ if P^ is the individual constant C£ = when 
C£ is well defined (see Definition 1.1(2)(F); this implies that G(/) is a 
partial automorphism of (N, P)). 

We may write mi = m^, recall that mi(fc) gives the arity of Pk and the infor- 
mation is it a relation or (possibly partial) function. 

2.7 Fact : Let '3^ = {M, I, 3P) be a /c-system, and 3 be an mi-lifting of 3/. 

1) The 0 — T-lifting (in Definition 2.12) exists and is a lifting (see Definition 
2 . 6 ). 

2) If /i , /2 G and A is a 3-support of y £ N then 

fi \ A = f 2 \ A & AC Dom(/i) ^ /i(y) = f 2 {y). 

3) From 3 we can reconstruct 3^,^,m.i; and if / = {A : for some B,A C 
B and P is a 3-support of some y £ N} then we can reconstruct also I (so the 
whole 3^. 

Proof. 1) Easy [compare with 2.4, 2.8]. 

2) Let y' = G{f 2 ){y), let Ai = A, A 2 = /” 2 (^i) hence as A is a 3-support of 
y and A C Dom(/i) necessarily y' is well defined and A 2 R^y' (see Definition 
2.6(1) clause (h)). We know that and o fi belongs to (see Definition 
2.6(1) clauses (i) and (j)). We also know that A 2 C Dom(/ 2 "^) so as A 2 R^y' 
(see above) we have y' £ Dom(G(/ 2 "^)) (see Definition 2.6(1), clause (f)(a)) 
and (G(ff~^))(y') = y (by Definition 2.6(1), clause {i) as (G(/ 2 ))(y) = y' by the 
choice of y'). 

Clearly ^ = 2 I 1 C Dom(/^^ o fi) hence (see Definition 2.6(1), clause (/)(/?)) 
we have y G Dom(G(/ 2 "^ o /)). 



^So maybe x even has support C for £=1,2 but x has no support C Dom(/) 
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But id/i C /2 ^ o fi, SO as AR^y we have y = (G(/2 ^ o f)){y). By Definition 
2.6(1), clause (j) we have, as the left side is well defined: 

(G(/2-' o A))(y) = ((G(/2-^)) o (G(/i)))(y) 

and trivially 

(G(/2-1)) o (G(/i)))(y) = (G(/2-i))((G(/i))(y)). 

By the last three equations y = o /i))(y) = (G(/2"^))((G(/i))(?/)), but 

by the above we note y = (G(/^^))(y'). So, as G{f2^) is one-to-one (having an 
inverse), we have (G(/i))(y) = y', now as y' was defined as (G(/2))(j/) we are 
done. 

3 ) Straightforward. ^2.7 

Note that 2.8 is close to 2.4 and 2 . 12 ( 2 )-( 4 ). 

2.8 Definition/Claim. Let '3^ = (M, I, be a fc-system and 3 = (N, P, G, R) 
be an mi-lifting of 

1 ) For B C N let be the following 2 -place relation on N: 

X1F1BX2 iff for some f G ^ we have id^ C / and (G{f)){xi) = X2- 

2 ) If B G I[k — 2 ] so fc > 3 then 

(a) Eb is an equivalence relation on N 

{(}) If f G B <Z Dom(/) then / maps E^ to Ej.qg) which means: 

f \ B C g G ^ t f\{G{g)){xi) = ye ^ [2;iEbX2 = ?/iE/>.(b)2/2] 
i <2 

(7) if P C Dom(/) then there is a one-to-one function F = Ff s from N/Eb 
onto fV/Ey-.(B) such that: 

(*)i for xi,a:2 G N we have: ( 3 (/)(/ \ B Q g G k, G{g){x\) = X2) 
F(xi/Eb) = X2lEp(B) 

(< 5 ) \f X G N and ARpx and a G Seq/^^i then there is an equivalence relation 
E G £’^^{B) with domain {/(a) : / extend ids and A C Dom(/)} such 
that: 

(*)2 if fe G ids C fe and A C Dom(/^) for £= 1,2 then G^{fi){x) = 
GHf 2 )(x) h{a)Ef 2 {a) 

(*)3 |x/Eb| = |Dom(E)/E| 

(e) if /, E are as in clause (7) and X\,X2 G N then 

(*)4 if F(xi/Eb) = X2/EB and i^is a counting fc-system, 
then |xi/Eb| = |x2/Eb| 

(*)s if F(xi/Eb) = X2/EB and i^is a medium (t, fc)-system, 
then |xi/Eb| = |x2/Eb| or both are > t(M). 
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Proof of (2). 

Clause (g) : 

Reflex! vitv : 

For X £ N choose a 3 -support A G I, so we can And f G ^ extending id^uA 
hence G(/) maps x to itself, hence 

Symmetry : 

If / G ^witnesses then f~^ G ^witnesses yE^x. 

Transitiyity : 

If XqEbXi, XiEbX2 let fi witness XoEbX2 and let /2 witness XiEbX2, now let 
Aq C Dom(/i) be a 3 -support of xq, so Ai = f’i{Ao) C Rang(/i) is a 3 - 
witness of xi, now let A^ C Dom(/2) be a 3 -support of Xi, so R U G I[k — 1 ] 
hence without loss of generality C Dom(/2) hence A2 = /”2(^i) is a 3 - 
support of X2, so xi G Dom(G(/2 o fi)) and G(/2 o fi) C G(/i) o G(/2) hence 
G(/2 o /i)(xi) = X2 as required. 

Clause ( 0 ) : 

So assume f \ B C g g ^ and (G{g)){xi) = yi, for £= 1,2 and we should proye 
XiEbX2 = yiEp(B)U2- It suffices to proye XiEbX2 ^ yiEp(B)V2 (as applying 
it to B' = /” (R), /' = f~^,g' = g~^,yi,y2, xi,X2 we get the other implication). 
As xiEbX 2 we can And a witness h, i.e., ids ffhG =^and (G(/i))(xi) = X2- Let 
Ai C Dom(h) be a 3 -support of xi and let A2 = h”(Ai), so A2 is a 3 -support 
of X2. 

If R G I[k — 4] without loss of generality A 1, A2 C Dom((/), and let A* = 
/”(Ai), A^ = /’’(A2), lastly let g* = gohog-'^. Now {G{g*)){yi) = j/2, 
id/”(B) C g* so g* witnesses yiEif’(B)y2 as required. 

But maybe R ^ I[k — A\, still R G /[fc — 2 ]; now for £ = 1 , 2 , as (G(/))(x^) = ye 
there is a 3 -support Ge of xe such that Gi C Dom((/) and let G^ = y (G^). So 
we can And, for £ = 1,2 a function gi G such that (/ t (R U Gi) C gi 
and Ai C Dom((/2) and also there is /ii G such that h \ {B U Ai) C hi and 
Gi C Dom(/ii). So hiogf^ extends {g \ B)~^ and G[ C Dom(g)"^), ((/f ^)”(G() = 
Gi C Dom(/ii) but C[ is a 3 -support of yi. Hence {G{hogf^)){yi) is well deflned 
and equal to (G(/i) o G(5f ^))(?/i) = (G(/i))((G(gf ^))(yi)) = (G(/ii))(xi) = X2. 
Let 52 G =^be such that g f (R U A2) C g2 and {hi ogi^)”{C[) C Dom(^2) and 
similarly we get gf^ o hi o gf^ extends idg-q^) and {G{gf^ o hi o gf^)){yi) = y2, 
so we are done. 

Clause (y), (< 5 ), (e) : 

Should be clear. □2.8 

Quite naturally for such a mi-lifting 3 of the family {G(/) : / G 
helps us to understand flrst order logic on {N^,P^). 
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2.9 Claim. Assume ‘W = is a k-system and 3 = {N,P,G,R) is an 

mi -lifting of W. 

Then 



(*) Assume (p{x) is first order and k > quantifier depth{ip{x)) + £g{x), or 
just (fi{x) G dPao,k which means: 

every subformula of(p{x), (e.g. (p itself) has < k free variables. 

If d G N, A^Rai and Ai C Dom(/) (hence ai G Dom{G{f))) for I < tg(x) 
and f ^ dP then 

{N, P) ^ {N, P) 1= ‘V[- ■ • , G{f){ai), . . . ]^<^g(s)” 



Proof. We prove this by induction on the quantifier depth of tp. Let m = Ig(x) 
so X = {xi : £ < m) and without loss of generality m < k. 

Case 1 : p atomic. 

As G{f) is a partial automorphism of N and even {N, P) this should be clear. 

Case 2 : p = or (^ = -i/)! A 'i/'2 or = (/?i V (/?2. 

Straight. 

Case 3 : p = p(x) = {3y)ip{y,x). 

Without loss of generality y is not a dummy variable in ip, that is has a free 
occurrence. Let x = (xq, . . . , Xm-i) so m < k. 

As G{f~^) = G{f)~^ it is enough to prove N \= “p[an, . . . ,0^-1]” ^ N \= 
V[G(/)(ao),...,G(/)(a™_i)r. 

So we assume the left side, i.e. 

N 1= . . . , ajji—i\, 

hence for some a* G N we have 
(*)2 N \=ip[a*,ao,...,ajn-i]- 

Necessarily a* has a 3-support A* G I. 

Now k > m 1 and is a /c-system hence there is f* G such that / f 
( (^ Ai) C /* and A* C Dom(/*). So each of a* ,ao, . . . ,am-i has a 3- 

i<m 

support included in Dom(/”') hence by the induction hypothesis applied to 
ip[a*,ao, . . . , a^i] and (*)2 we have 

(*)3 N h iPiGiDia*), G(/*)(ao), . . . , G(/*)(a™_i)]. 

So by the definition of \= we get 

(*)4 N h {3y)iP{y, G(/*)(ao), . . . , G(/*)(a,„_i). 

But for £ < m, the set Ai is a 3-support of ai and /* \ Ai = f \ Ai hence 
(G(/*))(a,) = G(/)(a,) so 



(*)s N h {^y)P{y, G(/)(ao), . . . , G(/)(a,„_i)]. 
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But ^{x) = (3y)'ip{y, x) so we are done. ^ 2.9 

Having dealt with first order logic we should deal with cardinality logic (actually 
any of the variants we mention). Here we use the counting version, really natu- 
rally the medium version suffices but for it we have to use more “bookkeeping” 
of the various things used, and the reader can use only this smoother case. 

Note that if we like to add cardinality quantifiers on pairs we need s > 2, etc., 
but we may create the set of pairs in Nt so not so necessary. 

2.10 Claim. Assume that is a counting k-system (see Def 2.3(1)) and 3 = 

{N, P, G, R) is an rxii-lifting of 

Then 



(*) assume g}{x) € J§?card,T or (p(x) € .ifcard (can have both kinds quantifiers; 
recall that -Sff.o. - 1 - na is included in a special case of -Sfcard.x ) and every 
subformula of ip{x), including ip{x) itself has < k free variables and 
m = £g{x) < k 

(c()(p(x) if f G and Ai is a f>-support of an and Ai C Dom{f) for £ < m 
then : 

{N,P) h ‘V[ao,...,a™_i]” iff {N,P) h ‘V[G(/)(ao), . . . , G(/)(a™_i)]” 

iP)ip{x) if f ^ and An is a f>-support of a£ for £ = 1, . . . , m — 1 and A^ C 
Dom{f) then the sets {b & N : (N,P) \= “ip[b,ai, . . . 
and{bGN:{N,P) (= ‘V[6, G(/)(ai), . . . , G(/)(a^_i)]”} have the 
same number of elements. 



Proof. We prove by induction on the quantifier depth of (p. 

We first show that 

{cy.)^p;x) (/d)i,o(s) 

Why? So assume {a)^p;x), and ai, . . . , am-i & N he given (where £g{x) = m) and 
also f ^ ^ and Hi, ... , H^_i G Ai is a 3 -support of for £ = 1 , . . . , m — 1 
such that At C Dom(/), and we should prove the equality in (/ 3 )<^( 2 ). Let a\ 
be 0 £ if i = 1 and (G(/))(a^) if t = 2. Let be if i = 1 and (G(/))”(H^) if 
£ = 2 . 

m— 1 

Let Bi= C so Bi G I[m — 1] and / maps B\ onto B 2 . 

1=1 

By Definition 2.8(1) we know that is an equivalence relation on N and, see 
Definition 2.8(2), clause ( 7 ), (5), the function F = F/^Bi satisfies 



(i) E is a one-to-one function from N/Ebi onto N/Eb^ 

(a) f \ Bi C g G & (G{g)){xi) = X2^ {F{xi)/EbJ = x/Eb2 
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(in) for every xi G N, Ai G I such that AiR^xi, and oi € Seq/^Ai for some 
E = G we have Dom(if) = xi/Eb^ and 

(*) if [idiji C /^ & C I)om{fe)] for £=1,2 then fi{ai)E^f2{a2) ^ 

(G(/i))(xi) = (G(/2))(xi) 



(iv) if Xi G N,X 2 G N, (G{g)){xi) = X 2 for some g G ^ such that f \ BiC g, 
then \{xi/Eb^)/E^^\ = \{x 2 /Eb^/ E^^\. 

Hence it suffices to prove, assuming F(xi/E^J = X 2 /E ^2 that 

N ^ ^ N ‘V[x2, G(/)(ai), . . . , G(/)(am-i)]” • 

As we can replace / by a suitable extension of / f Hi , without loss of generality 
there are yi G Xi/Eb^ and 2/2 G X2/Eb^ such that (G(/))(yi) = j/ 2 - We can find 
Gi C Dom(/) which is a 3-support of y\. 

As xiEB^yi we can find fi G ^ such that id^^ C fi and (G(/i))(xi) = yi; 
as m < k, without lose of generality Gi C Rang(/i) and let Go = (/r^)”(Ci), 
let C2 = /”(Gi). As X2 Ebj 7/2 we can find G ^ such that idsa ^ /s and 
(G(/2 ))(i/2) = X2] as m < k without lose of generality C2 C Dom(/2) and let 
G3 = /”2(G2). So /' = /2 o / o /i belongs to ^ and extends / f Hi and it maps 
Go onto G3 hence yi G Dom(G(/')), and clearly (G(/i))(xi) = yi, (G(/))(yi) = 
2/2, (G(/2))(y2) = X2 hence (G(/'))(a;i) = X2 and, of course, H^ C Dom(/') 
hence applying to /', xi, oi, . . . , a„_i we get 

(fV, P) h V[a^i, ai, . . . , ^ (iV, H) h G{f){aP, G(/)(a„_i)]” 

recalling X 2 = {G{f')){xi). So Kl holds. 

Now the inductive proof of (a)^ is separated to cases. The case (f atomic, 
(fi = = ipi A ■02,<£’ = (32/)(V'(2/, ^)) works as in the proof of 2.9. The new 

cases hold because (/3)^ hold by the induction hypothesis -I- Kl. ^ 2.10 

2.11 Claim. We can weaken in 2.10 the assumption on 'W to “medium {t,k)~ 
dichotomical” provided that: 

M if B G I[m], 1 < m < r, then every equivalence class ofE^’^ (so a subset 
of , see Definition 2.8(1)) has < t(M^) members. 



Proof. Straightforward. 

2.12 Definition. For '3^= a /c-system, the 0 — T-lifting or the 0 — mi- 

lifting if mi = mj is (M, H, G, R) where 

(a) G is the identity on 

(b) ARy GA AgI & y G A 

(c) each is the empty relation. 
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Clearly our intention requires us for a A;-system ^ to move from an T-lifting 
3t = {Nt[M,T,t],Pt[M,T,t],Gt,Rt) to a T-lifting 

'5t+i = Pt+i[M,T],Gt+i, Rt+i)- 

Toward this aim naturally in Definition 2.13 below we define for T-lifting 3 some 
successors, and in Claim 2.16 we prove what they satisfy. 

In Definition 2.13(6) we can define “3^ is the full t-successor of 3” (both mi- 
liftings of a fc-system W). 

2.13 Definition. Let ‘3/^ = (M, /, ^ be a fc-system and 3 = (fV, P, G, R) be an 
mi-lifting of 3^. 

1) We say X is good or (^3)-good if 

(a) X a subset of N 

(b) for some A G I we have ‘^A supports X” (for our 3 ^ and 3) which means: 
if / G BRy {so B G I,y G N) and AUB C Dom(/), and f \ A= id^ 
then y G X (G(/))(y) G 

(note: (G(/))(y) is well defined by clause (f) of 2.6) 

(c) X iN. 

2) Let 3^ = -^^3 be the family of good subsets of N, let = ^^3 be the 
two-place relation defined by: AlP^X iff A supports X, i.e. (b) of part (1) holds. 

3) For f G ^ we define a function G^{f) = ^ith domain C <^^3 U N 

as follows, (well, now (G+(/))(Xi) = X 2 is just a relation, but by 2.14(1) clause 
(ii) below it is a function) 

(a) For good X such that Ai^X, A G I when A C Dom(/) we let (G+(/))(X) 
= {y G : for some g G ^ and y' G X we have f \ A C g and G{g){y') = 

y} 

{(3) G+{f)\N = G{f). 

Note that no contradition arises between clauses (a) and (/?) because of 
clause (c) in part ( 1 ). 

4) We define E = E^^ as the following two place relation: X 1 EX 2 iff Xi,X 2 
are good subsets of and for some f G we have (G+(/))(Xi) = X 2 ; this is 
an equivalence relation (see 2.15(2) below). 

5) y = {N',P',G', R') is a successor of 3 if: 

(a) N CN' CN\J 

(b) G .!^^3 & X 2 G .^^^3 ^ [Xi G N' GG X 2 G N'] 

(c) G' is a function with domain ^ and for / G the function G'{f) is 
defined as G^{f) from part (3) restricted to N' 

(d) R' is RU[:^ \ {I X iV')] 

(e) the pair (iV', P') is an (M, mi)-candidate; so is an mi(£)-ary relation 
or function as dictated by mi 
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6) We say y is a (/^-reasonable successor of 3 if it is a successor and 

(e)' Pj, = {b £ N : (N,P) \= ^i(b)} but when T is i.c. (see Definition 1.1(2), 
clause (F)) this is so only if P'^ £ N' and = 0 otherwise (for each 
£ < mi (so we demand PJ, € N'). 

We may omit (f if clear from the content. 

7) We say that y = {N' , P' ,G' , R') is a full successor of 3 if it is a successor 
of 3 and N' = N U ■ We say it is the full successor if in addition P^ = 9 
and it is the full reasonable successor (or reasonable full successor) if it is a full 
successor which is a reasonable successor. 

8) y = {N' , P' ,G' , R') is a full t-successor of 3 if it is a successor of 3 and 
{a)l N' = NU{X£^^^ : \X/ \ < t{\\M\\)}. 

So if we omit t we mean t(||7V||) = oo. 

9) y = (N' , P' ,G' , R') is the true (T, t)-successor of 3 if mi = mf and y is a 
reasonable successor of 3 and: 

(a)g {N',P') is the (T, t)-successor of (N,P), (see Definition 1.8(2)). 

10) y = {N' , P' ,G' , R') is the true T-successor of 3 if it is a (p^-reasonable 
successor of 3 and: 

(a)iQ {N',P') is the T-successor of (N,P), (see Definition 1.8(2A)) 

[this just means the true (T, oo)-successor of 3]. 

Note that the names above indicate our intentions, but we have to prove that 
“y is a successor of 3” implies that “3 is an mi-lifting of '3^ (done in 2.16), 
the true (T, t)-successor of 3 is a t-successor of 3 (done in 2.17, 2.18, 2.20) and 
similarly without the t. 

2.14 Claim. Assume 3£ is a k-system, T an inductive scheme (so t is common) 
and 3 is an T -lifting of 

1) In Definition 2.13(3), if k >3 then for f £ 3^ and {31, y -good X we have: 

(i) if the relation X 2 = {G~^{f)){Xi) holds and {G{f)){xi) = X 2 then xi £ 
X\ = X2 £ X 2 

(ii) the value {G~^{f)){X) does not depend on A, so G^{f) is well defined. 
(Hi) if the relation X 2 = {G~^ {f)){Xi) holds then X 2 is a {31, y -good 

2) There is a unique object y which is the full successor off). ; there is a unique 
object y which is the reasonable full successor off and there is a unique object 
which is the reasonable t-full successor off. 

3) If the y is the true {T ,t)-successor off, then f is a reasonable successor of 
3 which implies f is a successor off. 

4) There is at most one true successor f off. 

Proof. Easy, using 2.16(2) below for part (2); e.g. 

1) Clause (i) So assume that X) is (^^3)-good, Ai is a 3-support of Xi, Ai C 
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Dom(/),/ G ^ and X 2 = {(G(( 7 ))(a:) : x G Dom(g),/ t ^ ^ g} C TV and 
(G(/))(xi) = X 2 - First G Xi X 2 G X 2 by the definition of X 2 . Second 
assume that X 2 & X 2 , so for some y G Xi and g G ^ we have f \ Ai C g and 
(G{g)){y) = X 2 - Let B 2 C Dom(g) be a 3-support of y. Let Bi C Dom(/) 
be a 3-support of xi; as k > 3 there is /i G such that / \ {Ax U Bi) C fi 

and g”(S 2 ) C Rang(/i) so (G(/i))(xi) = X 2 - Now {G{g~^ o /i))(xi) is well 

defined as B 2 C Dom((/“^ o fx) hence is equal to ((G( 5 f“^) o {G{fx))){xx) = y 
and {g~^ 0 / 1 ) f ^1 = idAi hence xx G Xx = y G Xx but y G Xx hence xx G Xx 
as required. 

Clause (ii) So assume that f G X is good and for £ = 1,2 the set G / is a 
support of X and Ai C Dom(/). For ^ = 1, 2 let Xi =: {y G N : for some g G ^ 
and y' G X we have f \ Ai C g and {G{g)){y') = y}. 

By the symmetry it is enough to show that y G Xx ^ y G X 2 - So assume y G Xx 
hence there are g G and y' G X such that f \ Ax C g and {G{g)){y') = y. 

As y' G X C N, by Definition 2.6(1), clause (g) there is B G I which is a 

3-support of y'. As {G{g)){y') = y without loss of generality B is such that 
B C Dom(^) (see Definition 2.6(1), clause (f)). As ^is a fc-system and k > 3 
there is f* G such that / f {Ax U A 2 ) C /* and g'" {B) C Rang(/*) hence 
for some B* C Dom(/*) we have (/*)”(S*) = g'' {B) so for some y* G N we 
have {G{f*)){y*) = y. By clause (i) applied to A 2 , f* ,y* ,y we have y* G X = 
y G X 2 , so it is enough to prove that y* G X. Now easily g~^ o f* G 
B* C Dom( 5 “^ o /*), id^j C g~^ o f* and so y* G Dom(G(( 7 “^ o /*)) and 
{G{g~^ o f*)){y*) = y' . Hence, as A is good (see Definition 2.13(1) clause (b)), 
we have y* G X = y' G X, but y' G X hy its choice, so we are done. 

Clause (iii) Easy, or see the proof of Kl(*)i inside the proof of 2.16 below. 
ILI 2.14 

Now for the definition of successor for liftings of we naturally ask whether 
there is any. 

2.15 Claim. Assume '3^ is a k-system k > 3, T an inductive scheme and 3 is 
an m.x-lifting of 33 and t G T. 

1) There is a -reasonable full t-swccessor 0 / 3 (and it is unique), similarly 
without t. 

2) Ef^^, defined in 2.13(4) is an equivalence relation on (see Definition 

2.13) and for every f G the function G"*"(/) : <^^3 — >■ ^3/^ preverse the 

equivalence class. 

Proof. 1) All is straight modulo part (2) (recalling 2.14). 

2) Let 3* be the (p^-reasonable full successor of 3 which exists by 2.14(2), and 
is a successor of 3 by 2.14, and is an mi-lifting by 2.16 below. 

Why is an equivalence relation on = Af^ \N^1 In short, by the 

properties of 3 ; in details: 

Eg/, is refiexive : 

Let X G so for some A G I we have A33f^ X (or equivalently AMX') 

(see Definition 2.13(2)) and there is f G which is the identity on A, hence 




100 S. Shelah 



(see Definition 2.13), X G Dom(G^ (/)), and (G^ (f)){X) = X (as clause (f)) 
of Definition 2.6(1) holds as 3* is an mi-lifting of W. 

ifg/-, is symmetric : 

l)se G3*(/-1) = (G3 *(/))-i. 

ifg/-, is transitive : 

Use G3*(/i o / 2 ) C G3*(/i) o G3*(/2). 

[This is similar to 2.4.] 

By the definition of (see Definition 2.13(4)), clearly for / G ^ the 

mapping G+(/) = \ >^^3 preserves the E (^.^-e(:^xaYsleTice class or use 

2.16. GI 2.15 



Clearly for “reasonable” cases, everything can be interpreted in N see later. 
We now prove that Definition 2.13(l)-(5) works as intended, i.e. any successor 
of 3 is an mi-lifting of In particular, we have to show that the functions 
defined are functions with the right domain and range and the if ’s are equivalence 
relations. This is included in the proof of 2.16. 

2.16 Claim. Assume ‘ 3 ^ is a k-system and 3 is an m.i-lifting of 3'' (see Definition 
2. 1(2), Definition 2.6) and fc > 3. 

Any successor y off) is an rxii-lifting of 3^. 

Proof. We check the clauses in Definition 2.6. Let ,G' , R' , N' , P' be as in 

Definition 2.13. 

Clause (a) : As N is transitive with M its set of urelements, and X G N'\N 
X G ^ X C N also N' is transitive with M its set of urelements. Clearly 

N has the right vocabulary r+ = tm U {g} and Q £ tm ^ ■ So N' 

is as required. Also P' = {P( : t < mi), each P[ as required by mi. 

Clause (b) : By Definition 2.13(5)(c) we have that G' is G^ [ X' where the 
function G^ is defined in part (3) of Definition 2.13 and f £ implies G“*'(/) 
is a partial function with domain C iV U <^^3 (see 2.14(1)). So G' is a function 
with domain and G'{f) by its definition is a partial function with domain 
C N'. 

Clause (c) : 

Subclause (a) : For f £ we know that G(/) is a function, G(/) \ M = f (see 
Definition 2.6(1)), clause (c)(i)) and G(/) = (G+(/)) [ N (see Definition 2.13(3) 
particularly subclause (/3), remembering that “A good A ^ A” by Definition 
2.13(1), clause (c)). As M C N C N' and G'(/) = G+(/) [ N', together we get 
/=(G+(/)) [M=(G'(/)) [M. 



Subclause (0) : Let f £ G(/) = f, G'{f) = f and let x,y £ N' belongs to 

the domain of f and we should prove 
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(a) fix) G N' 

i(3) X G N'\N ^ fix) G N'\N 

(7) \i x ^ y are from N' then fix) ^ fiy) 

(5) for every predicate Q £ tm, f preserve Q and -'Q 

ie) N' h “y £ cr” ^ N' ^ “fiy) £ fixf^ 

(we shall do more toward proving clause (g) of Definition 2.6(1) below). 

Note that for clause (a), as f \ N = Gif') \ N = Gif) = f^, it is enough 
to check it for x £ N'\N, which is done in Kl, (*)4 + (*)i + (*)e below (as a 
good subset of N does not belong to N). Clause (/3) also follows from Kl, (*)4 + 
(*)i + (*)e below. As for clause (7), if x,y G N use Gif') \ N = Gif); if 
x£ N & y£ N'\N note that Gif')ix) = (G(/))(a:) G N and (G(f ))(y) i N 
by clause (/3); similarly if cc G N'\N Sz y £ N; lastly if G N'\N we use 
clause (e) proved below and N' being transitive (as /'(x),/'(y) are subsets of 
N so ^ M). Now clause (<5) is easy as G'(/) \ M = f and / being a partial 
automorphism of M being from 

Lastly, we consider clause (e), so we let x,y £ N'. If x £ N, then fix) is 
necessarily in N too, but N is transitive, hence N' \= “y £ x^^ ^ y £ N and 
N' ^ “2 G fixf^ ^ z £ N, so as f \ N = f^ we are done. So we can assume 
X £ N'\N, so a; is a good subset of N, so for some Aq £ I, AqR^ x. We define 

01 z =: {b £ N dor some g £ ^ and b' £ x we have 

/ r -4o C 5 and G(g)(&') = b}. 

We need the following, and it suffices 

Kl assume x £ N'\N and z is defined as in (Di. 

Then 

(*)i z is a good subset of N with Ai =: /”(Aq) a support of z 
(*)2 a; = {6' G iV : for some g £ ^ and b £ z we have 
/-I r(/”(^o)) Cgand G(g)(6) = &'} 

(*)3 z does not belong to N 
(*)4 ^ = fix) 

(*)s if B is another 3-support of x, then z' = z when z' = {6 G iV : 
for some g £ and a £ x we have f \ AC g and Gig)ia) = b}. 

(*)e z £ N' 

Proof of (*)i. We should check clauses (a),(b),(c) of Definition 2.13(1). Now 
clause (a) is trivial and clause (c) is dealt with in (4)3 which we prove below 
(and we do not use it till then, so no vicious circle). So we concentrate on proving 
clause (b). So suppose: 

ii) a,b £ N and 

in) gi £ ^ satisfies Ai C Dom(gi) and gi \ Ai is the identity and 
iiii) a£ Dom[G((/i)] and 6 = G(gi)(a). 
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Now we should prove that a € z b € z. It is enough to prove as applying 
it to we get the other implication. As 6 = G((/i)(a) necessarily by clause (i) 
of Definition 2.6 for some 3-support Bi of a we have Bi C Dom(5i). 

Assume a € z then by the definition of z we can find g £ and a' G 
X such that f \ Aq C g and G{g){a') = a. By Definition 2.6(1), clause 
(/)(/?) there is B 2 £ I such that B 2 is a 3-support of a' and B 2 C Dom((/). 
As k > 3 and as we can replace g by any g* such that g \ (Aq U B 2 ) C 
g* G without loss of generality i?i C Rang(^). So, possibly changing B 2 
without loss of generality i?i = g'"{B 2 ) (see clause (b) of Definition 2.6(1)). 

Let g' = gio g, so AqU B 2 Q Dom(g'),5' \ Aq = g \ Aq = f \ Aq. 

[Why? As g \ Ao = f \ Ao,/”(Ao) = Ai and gi \ Ai = id^i; also B 2 C 
Dom(g) and (/” (B) is equal to Bi which is C Dom(^i)]. Hence a' G Dom(G((/')) 
and so G(g')(a') = (G((/i)) (G(g)(a')) = (G((/i)) (a) = b. (See Definition 2.6(1), 
clause (j).) 

So g' , a' witness 6 G z; so 6 G z has been proved under the assumption a £ z. 
So by symmetry we have proved a £ z b £ z. 

Proof of {*) 2 - 

Call the set in the right side x'. 

First assume that a £ x, so a has a 3-support Bi hence for some g\ £ ^ 
we have Aq U i?i C Dom(gi) and / [ Aq C g^, hence a G Dom(G((/i)) and let 
b =: {G{g)){a), so 6 G z by the definition of z, also b has 3-support B 2 =: g” {B\). 
Let g 2 = gf^ so g 2 £ ^ and G{g 2 ) = G{g\)~^ hence {G{g 2 )){b) = a. Lastly, as 
f \ A^Qgi clearly f~^ \ (/”(Aq)) C ^2- Together g 2 ,b witness that a G x' . So 
we have proved a £ x ^ a £ x' . 

Second, assume that a G x', so we have witnesses g, b for this, i.e. g £ 
,'^,b £ z, f~^ \ (/”(Aq)) C g and {G{g)){b) = a. So we can find Bi C 
Dom((/) a 3-support of b, so Bq = g”(??i) is a 3-support of a. As b £ z 
there are witnesses for it, that is, there are gi £ ^ and b' £ x such that 
/ [ -4o C and {G{gi)){b') = b, hence gf^ £ ,^,G{gf^) = {G{gi))~^ so 
without loss of generality i?i C Rang(gi) and let B 2 = (gf^y^{Bi), but Bi is 
a 3-support of b hence B 2 is a 3-support of b' . Let g' = g o gi £ ^- Now 
Ao C Dom(oi) and g”i(Ao) = /’’(Aq) C Dom(g) hence Aq C Dom(g'), and 
as 57 r Ao = / r Ao, and g\ /ii) =7^ [ fU) clearly? [ Ao =7d,„. 
Also B 2 C Dom(5i), B\ = 5”(i?2) C Dom(g), hence B 2 Q Dom(5') and 
{G{g')m = {G{g o g,)){b') = G{g){{G{g,)){b')) = {G{g)){b) = a, but as 
5' [ Ao = id^o and (*)i we have b' £ x {G{g')){b') G x which means 
b' £ X a £ X. But we have chosen b' £ x hence a £ x. So we have proved that 
a £ x' ^ a £ X. Thus finishing the proof of (*)2- 

Proof of (*)3. If z G there is A* G / such that A* is a 3-support of z. 

Now there is /i G / [ Aq C fi such that A* C Rang(/i). So zi = 
G(/f ^)(z) is well defined and by (*)2 we can check that {b £ N : b £ zi} = x; 
contradiction to “x ^ N” . 
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Proof of (*)4- 
Should be clear. 

Proof of (*)5. 

By 2 . 14 ( 1 ). 

Proof of (*)g. 

By clause (b) of 2 . 13 ( 5 ). 

We continue checking the clauses in Definition 2 . 6 . 

Clause fd) : 

Easy as for f,g € ^ we have f Q g ^ G{f) C G{g). 

Clause fi) : 

By the symmetry it is enough to show that G'{f~^) C G'(/)“^. 

So let {G'{f~^)){x) = z. 

Now we know that both G(/) and G(/“^) maps N to N and N'\N to N'\N 
(that is when defined), so if x G N we have z G N and we use “3 satisfies 
Definition 2.6 ( 1 ), clause (i)” to get (G(/)“^)(z) = a; as required. So assume 
X G N'\N hence z G N'\N . By Kl(*)4 + (g>4 and Kl(*)2 we are done. 

Clause (i) : 

Assume xq G Dom(G'(/)), hence xq has a 3 ^-support Aq C Dom(/), so by the 
definition of /20/1 = / we have Aq C Dom(/i) and /”i(Ao) C Dom(/2). So we 
have xo G Dom(G'(/i)) and xi =: (G'(/i))(xo) has 3 ^-support Ai =: fA{Ao). 
Similarly X2 =: (G'(/2))(xi) is well defined and has 3 ^-support A2 =: f’i{Ai) 
which is C Rang(/2 0/4)= Rang(/). Now we would like to show that X2 = 
(G'(/))(xo); if Xo G fV this should be clear so assume that xq G N'\N hence 
xi,X2 G N'\N. Let X2 = (G'(/))(xo), it is well defined as xq has 3 ^-support 
^05^0 C Dom(/) and it suffices to prove that X2 = X2. So let y G N and we 
shall prove that (j/ G X2) = (y G x^. 

Let i?2 be a 3 ^-support, equivalently 3 -support of y and let 7/2 = V- We can 
find f'2 G ^ such that /2 f Ai = /2 f Ai and B2 Q Rang(/2) so as Ai 
is a 3 ^-support of xi, clearly (G'(/2))(xi) = (G'(/2))(xi) = X2. Let Bi = 
((/2)~^)”(-®2)- Also we can find f[ G such that /( f Aq = /i f Aq and 
Bi C Rang(/() so as Aq is a 3 ^-support of xq clearly (G'(/2 ))(xq) = xi and let 
Bq = ((/()"^)”(Bi). Let yi =: (G'((/2)"^))(y2), so 7/1 G N has 3 -support Bi, 
and let 7/0 = (G"((/()“^))(t/i), soyo G N has 3 -support Bq- As G'(/2) maps xi to 
X2 and 7/1 to 7/2 we have by clause (c) (/ 3 ) on y which we have already proved that 
(j/2 G X2) = (7/1 G xi). Similarly as G'(/() maps xq to xi and 7/0 to 7/1 we have by 
clause (c)(/ 3 ) that (7/1 G xi) = (7/0 G a^o) so together (7/2 G X2) = (7/0 G a^o)- Now 
f = f 2 ° fi ^ and its domain include Aq U Bq and G'(/') maps 7/0 to 7/2 (by 
clause (j) for 30 ; Aso as Xq is in its domain (as Aq C Dom(/') is a 3 ^-support 
of Xo) and as f \ Aq = f' \ Aq we have (G'(/'))(xq) = (G'(/))(xo) but the 
later is X2. So (G'(/'))(xq) = x'2, so as 7/0 G Dom(G'(/ 0 ) by clause (c) we have 
7/0 G Xo = (G'(/ 0 )(t/o)) G x'2 but (G'(/'))(t/o) = V2 so (7/0 G xq) = (7/2 G x'2). As 
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earlier we have gotten (j /2 G X 2 ) = (j/o G a;o) together (j /2 G X 2 ) = ( 2/2 G x' 2 ) but 
V 2 = y so we are done. 

Clause fe) : See Definition of in Definition 2.13(5), clause (d). 

Clause (f) : 

Subclause (a) : 

So assume AR^ y,f £ ^ and A C Dom(/). First, if y G then we use 
G'(/) f N = G(/) and 3 satisfying Definition 2.6(1), clause (/)(a). Second, if 
y G N'\N then AR^ y means AMy and clearly y is a good subset of N and by 
the definition of G'(/)(= G+(/)), necessarily y G Dom(G'(/)). If in addition 
f \ A= idA, we should prove that (G'(/))(y) = y. Now by Kl (*)4 apply to y,A 
instead x,Aq we have 

{G'{f)){y) = {b £ N dor some g £ ^ and b' £ y we have 

/ f -4 C y (i.e. idA c g) and G{g){b') = b}. 



But as A^,y we have: 

idA C y & b£ Dom(G(y)) ^ [b £ y = G{g){b) £ y] 

which means that (G'{f)){y) = y, as required. 

Subclause (dlfof (f)) : 

So assume f £ ^ and y £ Dom(G'(f)) (hence y G N'). First, if y G fV, recall 
that G'(f) f N = G{f) and use 3 satisfying clause (/)(/?) of Definition 2.6(1) 
and 



^2 i?' r (/ X A^) = R. 

Second, if y G N'\N see the definition of G'(/) = G+(/) and R' . 

Clause (g) : 

See the choice of R',^. 

Clause fh) : 

The new case is: assume A C Dom(/),yl £ I, X £ Dom(G'(/)), X £ N'\N. 
We have to show AR?' X f’{A)R^'{G'{f)){X); now by by clause (i) it is 
enough to prove the implication <^=. 

Let A* =: f” (A) and X* =: (G'(/))(AT), so we know that A, A* £ I and 
X^X* £ N'\N and A*^X*. We have to show that AMX. If ~^A!^X^ then we 
can find g £ ^,g \ A = idA, and Zo G Dom(G(y)), 2 i = G(y)(zo), such that 
zq £ X = z\ ^ X. We can find Bq £ I such that BqRzo and Bq C Dom(y) and 
let B[ =: y”(i?o). We can find /i,/ f AC fi,BQC Bi C Dom(/i),/i £ ^ and 
without loss of generality fi = f and Dom(y) = A\JBq. Let y* = /oyo/“^, i?g = 
/’’(So) and B\ = /”(Bi). Clearly B^,B\ £ I and /"\yo/-\y* = fogo 
/-I G Also C Dom(/-i), (/-!)” (Bg*) = BoC Dom(y), y” (B q) = B^ 
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and = Bl hence together g*{Bg) = B^. Let =: {G{f)){zo), z* = 

so (G(/-i))(z^) = zo,{G{g)){zo) = zi,{G{f)){zi) = zj-, and as B* 
is 3-support of Zq,Bq C Dom(g*) necessarily (G(g*))(zo) = z{. 

We can also show that (zq € X) = (zq € X*) and (zi G X) = (z* G X*) by 
clause (c)(/3) which we already proved so remembering (zq G X) = (zi ^ X) we 
get a contradiction to “AMX*” which we have assumed. 

Clause (k) : 

Trivial. GI 2.16 

Well we have T-successors of candidates (in Definition 1.8, implicitly in Defini- 
tion 1.1) and we have successors of mi-liftings 3 of (M, I, where 3 has 
in it a candidate {N^,P^). 

Of course, we like to connect then, specifically show that true (T, t)-successor 
of 3 exists. This is not always true, as Definition 1.8 can lead us to elements of 
N'\N with no support in I. In Definition 2.13 we restrict ourselves to elements 
with support in I, and we can change the definition in 1.1, 1.8 to have it, but it 
seems to me not so convincing for a logic. Rather we show that the dichotomy 
assumptions (as in 2.1(3), 2.3) help. 

When we use .if = iff.o., then dealing with T-successor is easier, we have 
to look less carefully at cardinalities, still we need a dichotomy property (see 
Definition 2.6) in order to get a 3-support to every member. 

2.17 Claim. Assume that: 

(а) '3^= is a k-system, fc > 3 

(б) T is an inductive scheme for 

(c) for every I < any subformula of ipj has < k free variables; also for 
every £ < mj any subformula of gff has < k free variables 

(d) t e T 

(e) 3^ is a t-dichotomical k-system 

if) for every £ < the formula ipj has < k/2 free variables. 

Then 

(a) iff) is an mj -lifting of Y then 3 has a true {T ,t) successor (see Defi- 
nition 2.13(9)) 

(P) for every t < 00 there is an mj -lifting 3* ofY such that recalling Defi- 
nition 1.1(3A), we have ,P^ ) = (iVt[M, T, t], Pt[M, T, t]) 

( 7 ) if t < t\M, T, t] and l G {I, . . . ,7} or t < tJM, T, t] & t = 11, . . . , 17 
then there is an m() -lifting 3* of 3^ such that {N^ ,P^ ) is equal to 

{Nt[M,T],Pt[M,T]) or (fV^M, T,t], A[M, T,t]), 



respectively; similalry for t = 21, . . . , 27. 
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Proof. Clearly clause (/?) follows from clause (a), just prove by induction on t. 
Also clause (7) follows from (/3) and clause (a), so we deal with clause (a). Let 
f, = {N,P,G,R). 

The main point is to prove 

Kl assume £ < and for a G ^3{y)]\j ^nd X = Xa = {b G N : [N, P) = 
ipi\b^ a]}. Then A£iiX for some A G / or 
{{bGN: (N,c) \= Mb, a']} : a' G ^ste)fV}| > t(||M||). 

Let m = £g{y), so 2(m + 1) < fc and a = {a£ : £ < m), let G / be a 3-support 
of ae and let bi be a list of A^ without repetitions, and define a function h* with 
domain [m] with h*{£) = bi. We define a 2-place relation E on h* / see 
Definition 2.1(3)(7): 

©1 if for j = 1,2, fj G ^and [J Rang(/i*(£)) C Dom(/j) and hj = fj*h* 

(&[m] 

then hiEh 2 XG(f^)(a) = Xa(f 2 ){a) 

(where G{fj){{ae : £ < m)) = {G{fj){ai) : £ <m). 

Now 

©2 E belongs to 

see Def 2A(3)(i5). 

Why? by traslating this means that: 

(*) if , 0 ,'^ ,a^ , 0 ,'^ G {(G(/))(a) : U ^ Dom(/) and / G 

£<m 

(G(/))(a^'a^) = then N ^ = ipM , of) 

where =: (yx)Yp{x,yi) = ip{x,y 2 )]- 

Now every subformula of 'f’(fji,y 2 ) has at most 2m + 1 < A: free variables or 
is a subformula of Lp{x,y) hence has < k free variables, hence by 2.9 we have 
N ^ tpM,af) iff iV 1= of), so we are done showing ©2. 

Now m < k/2 and we are assuming that i^is a t-dichotomical fc-system, so 
(/3)i or (/3)2 of Definition 2.1(4) holds. Now (/?)2 gives the desirable first possible 
conclusion in Kl and (/?)i gives that |{6 : ^ ij)(,{b,a') : a' G ’”?V}| > t(||M||), 

hence second possible conclusion in Kl. 02.17 



2.18 Claim. 1) Assume that 

(а) '3^ is a counting k-system with fc > 3 

(б) T is an inductive scheme, in M.o. or in M.o. + na or Mard or Afcard.T 

(c) for£ < mj , every subformula oftpe{y,x) has at most k—1 free variables 
and for £ < mj every subformula of (pi has at most k — 1 free variables 

(d) t G T 

(e) 3^ is a t-dichotomical k-system 
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(/) for i < tht formula ‘ipe has < k/2 free variables. 

Then 

(q^) */3 is an mj -lifting, then 3 has a true {t,T)-successor 
{(3) for every t there is an mj -lifting 3* such that 

(iV3*,p3‘) = (7V,[M,T,t], A[M,T,t]). 



Proof. The proof is as in 2.17 , but we know by 2.10 that the partial automor- 
phism G{f) preserves also ifi{y,x) and even {3^y)f}i{y,x) when every subfor- 
mula of tfi has < k free variables; (note that only now having 2m -I- 1 < k rather 
than 2m -I- 1 < A: seem helpful or repeat the proof of 2.10 as we can use the < k 
just for subformulas of (f). □2.18 

2.19 Remark. Why do we still need in 2.18 the “t-dichotomical” ? Just to guar- 
antee that the true (t, T)-successor is included in the full one. 

2.20 Claim. Assume 

(а) ‘3^ is a k-system with k > 3 

( б ) T is an inductive scheme in -2f,o. 

(c) fori < mj , every subformula oftpe{y,x) has at most k—1 free variables 
and for I < mj every subformula of (pi has at most k — 1 free variables 

(d) t G T 

(e) is medium t-dichotomical 

if) for i < mj the formula ipe has < k/2 free variables. 

Then : the conclusion of 2.18 holds, so if t < t,,{M,T ,t) , then for some 
lifting 3* we have , p3 j = (^Nt[M,T,t],Pt[M,T,t]). 



Proof. Like the proof of 2.17, 2.18. 

2.21 Definition. 1) We say that JPis a witness to the /c-equivalence of and 
^2 if 

(a) for A = 1, 2 we have 3^ = (M^, Ii, iPi) is a fc-system 

(b) .Jfis a family of partial isomorphisms from Mi into M 2 

(c) for every g G we have Dom((/) G Ii, Rang(g) G I 2 

(d) if (/ G Jtfa,nd f\ G then 5 o /i G .AP 

(e) if (/ G .^and f^ G 3^2 then /2 o g G 2^ 

(/) if 5 G .^and A £ Ii[k — 1] and B G Ii, then for some gi G have 

9 \ A 9i and B C Dom((/i) 

{ 9 ) if 5 G .^and A & l 2 [k — 1] and B G I 2 , then for some g\ G JPwe have 

9 ~^ \ A 9 f^ and B C Rang(gi). 
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2) We say that Jf’is a witness to the dichotomical (fc, r)-equivalence of 

and (i^,t 2 ) if 

(i) is a (t^, k, r)-dichotomical /c-system for £=1,2 
(ii) Jf'is a witness to the fc-equivalence of and 

(izt) each g € ^preserved the possibility chosen in the definition of (t,fc,r)- 
dichotomical. 

If we omit r, we mean s = [A:/2]. 

3) We say that ^is a witness to the counting fc-equivalence of and if 

(z) is a counting (t, k, r)-system for £=1,2 
(zz) ^is a witness to the fc-equivalence of ‘3/'\ and ‘Wi 

(Hi) each g G J£^preserve the cardinalities involved in the definition of “count- 
ing (t, fc, r)-system” . 

4) Similarly with “medium dichotomy” . 

2.22 Main Conclusion : Assume 

(а) Wi = is a t^-dichotomical fc-system, and t{Mi) = r for 

£=1,2 

(б) Jf'is a witness to the fc-equivalence of ‘3/'\ and ‘Wi 

(c) X G Jff.o.(T+), i.e. a first order sentence in the vocabulary r+ = tU{g}, 

(d) T is an inductive scheme for ^{,o. 

(e) every subformula of x and of tl’J and of ipj has at most < k free variables 
(/) ti,t2GT 

(g) every formula 'ipj has < k/2 free variables and fc > 3 of course. 

Then 

(a) let^ z G {2,3,4, 5}; the truth value of 9r,x,ti in Mi and 0r,x,t2 in M^ 
under |=t are equal except possibly when: for some £ G {1,2} we have 
the truth value of 0x,x,tf in Mi is undefined whereas that of 0't,xM-t in 
Mi,_i is well defined and £jM^,T,t^] < £ T, 

{(3) For any t, if = Nt[Mi, T, t^] is well defined for £ = 1, 2, then for every 
sentence 9 G Jff,o.(T+) such that every subformula has at most k free 
variables, we have \= 9 ^ ^ 9 

(j) if z G {2,3,4, 5} and 9^ = ^ ('’')) is z-good for £ = 1,2: 

then Ml “6*^” iff M 2 \=, “0^” 

(5) for any t, if = Nt[Mi,T ,ti] is well defined for £ = 1,2 and 9 = 
9{xi , . . . , Xn) G J§ff,o.(r+) is a formula such that every subformula has at 
most k free variables then : 

© let oi , . . . , Om G iV^ and g G Jf, then 

iVi ^,9[ai,...,am] iffA^2 K ^?[(G(/))(ai), ■ • ■ , (G(/))(a™)]- 



"^Here and below, for z G {6, 7} the conclusion is similar but expressed more cumbersomely 
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Proof. First we can prove clause (5) by induction on the quantifier depth of 6, 
as in 2.9. 

Second, note that clause (a) follows from clause (/3). 

Third, note that clause (/?) follows from clause (<5) 
and the definition of satisfaction 1 . 1 . 

Lastly, concerning clause ( 7 ) follows the definition of J^^good (and clause (/?)). 

O2.22 



2.23 Conclusion. Assume 

(а) = {Mi, li, ^i) is a counting /c-system, t{Mi) = t for £ = 1, 2 

( б ) ^is a witness for the counting fc-equivalence of and ^2 

(c) X € Lcard.T 

(d) T is an inductive scheme for ^ = -Sfcard,T(T^) or .SCcard{T~^) 

(e) every subformula of x and of ipj (for £ < mj) and of <.pj (for £ < mj) 
has at most k — 1 free variables 

(/) t G T 

(g) if 1' < mj then has < k/2 free variables and fc > 3 of course. 

Then 

(a) if 9 = 9r,x.t and l G {2, 3, 4, 5, 6 , 7, 11, 22} then Mi \=^ 9 M 2 \=i 9 and 

Ml \=i, -10 M 2 \=i -10 

{(3) For any t if = Nt[Mi, T, t] is well defined for ^=1,2, then for every 
sentence 0 G such that every subformula has at most fc — 1 free 

variables, we have 0 \=^ 9 

( 7 ) for any t, if T,t] are well defined (for £ = 1,2), and 0 = 

0(xi, . . . , Xn) G J§ff,o.(r+) is a formula such that every subformula has at 
most fc — 1 free variables we have: 

© if oi, . . . , Om G and g G Jif, each {G{f)){ai) is well defined then 

iVi ^,9[ai,...,am] ifflV" K ^[(G(/))(ai), ■ • ■ , (G(/))(a™)]- 



Proof. Straight. 



Now 

2.24 Conclusion. Assume 

(а) £Vi = {Mi,Ii,^i) is a medium t-dichotomical fc-system, T{Mi) = r for 

£= 1,2 

( б ) ^is a witness for the medium t-dichotomical /c-equivalence of 'S^i and 
^2 

(c) xG-^f.o.(r+) 

(d) T is an inductive scheme for .if* = .iff,o.(T+) 
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(e) every subformula of x and of (for I < mj) and of ipj (for £ < mj) 
has at most k — 1 free variables 

(/) G T 

(g) if t' < rriQ then ipj has < k/2 free variables and fc > 3 of course. 

Then 

(a) if 0 = Or,x,t and 6 G {1, . . . , 5, 6, 7, 11, 22} then Mi \=^0 ^ M 2 \=l 0 and 
Ml \=i, -'O M 2 ht 

(/3) For any t if is well defined for i = 1,2, then for 

every sentence 9 G .iff,o,(T^) such that every subformula has at most 
(fc — l)-free variables, we have \= 6 N"^ ^ 9. 



Proof. Straightforward. 



2.25 Discussion We consider now some variants. 

1) We have to consider the stopping times. If ^ = ^car,T or .ifcard.T this 
is natural, (and they are stronger logics than the earlier variants). If we still 
would like to analyze in particular for the others, we should be careful how 
much information can be gotten by the time. 

2) We can modify T such that in Nt+i we can reconstruct the sequence {{Ni, Pi) : 
£ < s) (see §4). 

3) We can change our presentation: first proving the equivalences for 

fort'= 1,2, (see Definition 5.5) and then proving that (Nt[M^‘ ,T ,t], Pt[M,T ,t]) 

is interpretable in N uniformly. 



§3 The Canonical Example 

We apply §2 to the canonical example: random enough graph. 

3.1 Definition. Let r be a fixed (finite) vocabulary consisting of predicates 
only. We say M is a (s, fc)-random r- model if every quantifier free 1-type over 
A C M, |gI| < k (not explicitly inconsistent) is realized in M by at least s(||M||) 
elements. If s is constantly 00 we may write /c-random. 

Remark. We can restrict the set of allowable quantifier free types if it is nice 
enough e.g. R two-place symmetric irreflexive. More generally see e.g. [BlSh 
528]. 

3.2 Definition. Tpoi is Tq, where for a set Q C K containing an unbounded 
set of reals > 0 let Tq be {fq : q & Q,q> 0} where /^ : w — >■ w is fq{n) = or 
more exactly, the least integer > n‘^. 
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3.3 Claim. Assume 

(а) q*,k are integers > 1 and k* = q*k 

(б) s < k, s > 0 integer 

(c) Ml is (s^, 3k*)-random t - model for £=1,2 

{d) ti{\\Mi\\) < (s,(||M,||))9*+V(g* + 1)! and s,(||M^||) > q* 

(e) T is an inductive scheme /or ("^[ 2 ]); X ® sentence in and 

each subformula of any formula among fjJ (£ < mj), ip^(m < mj) and 
X has at most s free variables 

Then 

© z/t G {2, 3,4, 5,6} and 9r,x,tt i^-good (at least for Mi that is, the truth 
values below are defined) for £ = 1,2, then Mi 9r,x,ti ^ M 2 \=i 
^T,x.t2- 

3.) Remark. 1) Compare clause (/?) with 2.21(2). 

2) Why in 3.3 do we use clause (d)? As there we use Nt [Mi, T, t^] so for some t we 
may add the sets in 3 ^t[Mi,T ,ti] to A^i[Mi,T,ti] (in defining iVt+i[Mi, T, ti] 
but do not add t£Pi[M2,T ,£2] to Nt[M2,T ,£2] in defining iVt+i[M 2 , T, £ 2 ]. 

3) We concentrate on z-good sentences (or local versions) in order to have neat 

results. Otherwise we have really to be more careful, e.g. about the cardinalities 
of the T, t]’s. This is very reasonable for counting logic. 

4) We have ignored in this claim, and others in this section, the cases 10 < z. 
We can deal with them, if we note the following required changes. We have to 
note that the function t is split to two functions; one, t®^, for telling us how 
to increase Nt to Nt+i, that is which additional families of subsets of Nt are 
allowed to be added, and for this function the parallel of clause (d) should be 
demanded. Secondly we have to consider what families are added in each stage 
(so for the counting and the medium analog our situation may be better) . 

Proof We let Ii = {A C Mi : |A| < q*} and 

.^i = {/ :/ is a partial automorphism of Mi 
and Dom(/) has < q*k elements} 



(*)i ‘3^1 = {Mi,Ii,^i) is a fc-system 

[why? the least obvious clause in Definition 2.1(1) is clause (D) which 
holds by Definition 3.1 above.] 

(*)2 3^1 = {Mi,Ii,^i) is (t^, s)-dichotomical, (see Def 2.1(4)). 

Why? The proof of (*)2 takes most of the proof. Let mGNbel<m<s and 
let E be an equivalence relation from ,„(0) so it is an equivalence relation on 
M/E)^ where h* : [to] — >■ Seq/,,,if satisfying (*) of clause (<5) of Definition 
2.1(3). For h G h*/E^^ let bh be the concatenation of h{l),h{2), . . . ,h{m). 
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Without loss of generality h* is one-to-one and even bh* is with no repetitions. 
Let t* = £g(bh-) so t* < q*k < k*. By clause (c) and the definition of ^ there 
is a quantifier free formula ip{x,y) G -5f(r) with ig{x) = ig{y) = t* such that 
hiEh2 iff Ml ^ (/? [ 6 / 11 , 6 / 12 ]. 

Clearly without loss of generality ip{x, y) tells us that the quantifier free type of 
X and of y (same as that of bh- = 6*(1)"6*(2)' . . . "h*{m)), call it p{x) and let 
p[M] = {o G * M : a realizes p(a;)}, so we can look at E restricted to this set. 
Can there be ao,ai G * {Mi) realizing the same quantifier free type p{x) (over 
the empty set) which are not if-equivalent? If not, then \p[M(\/E\ = 1 and we 
are done so assume there are. We can find 02 G * {Mi) realizing the same quanti- 
fier free type p{x) and disjoint to do^ai (use “Mi is (s^, 3/c*)-random”), so 62 , Oj 
are not if-equivalent for some j G {0, 1}; so without loss of generality oq, hi are 
disjoint. Now we ask “are there disjoint 60,61 G * {Mi) realizing p{x) which are 
if-equi valent” ? If yes, we easily get a contradiction to “E an equivalence rela- 
tion” (by finding 6 ', a sequence from Mi realizing p{x) such that both 6 ''ho, b'^di 
realize the same quantifier free type as 6 o" 6 i; contradiction). So: no disjoint 
60,61 G p[Mi] are if-equi valent. Next we claim that 

for some u C [0,t*) and subgroup g of the group of permutations of u, 
moreover of g* = g)l = {c G Per(rt): if a G * {Mi) realizes p{x) then 
(ag.(i) : i € u) realizes the same quantifier type as d [ u}, we have: 

E \ {d € * {Ml) : d realizes p(x)} = Eg \ {d € * {Mi) : d realizes p(a;)} 
where for any subgroup g' of g*,Sg' = is defined by: for a ,6 G 

* {Mi),dEg/b {3a G g){{a„(^t) ■ t G u) = {br '■ t £ u)) (this is an 
equivalence relation). 

[Why? It is enough to show: assume a, 6 , c G * {Mi) realize p{x) and d, b are 
if-equi valent, r* < t* and ^ {bt ■ t < t*} then cjE does not depend on Cr* 
(i.e. if c' G * {Ml) realizes p{x) and r' <t* & r' ^ r* ^ Cr' = c'^i then cEc' .) 
Toward this end, let a be the partial function from [0,t*) to [0,t*) such that 
cr(ri) = T 2 Uri = br 2 - Clearly cr is one to one and r* ^ Dom(cr). 

We choose by induction on j* <t\& sequence d^ G p[Mi] such that = a, = 
6, the quantifier free type of d^'dM^ in Mi is the same as the quantifier free 
type of d^'~d^ = d"b in Mi and (Vr)[a^+^ ^ {a( : r < t*} ^ ^ {ar : r < t*}]. 

Clearly j < t*\ d^Ed^~^^, hence j < t*\ dEdE Let cr? be the partial function 

from [0,t*) to [0,t*) defined by cr?(ri) = r 2 = a?^. Clearly cr° = id[o^/.) 

and cr?+^ = cr o aE Clearly cr* ■ is the identity function on some subset of [0, t*) 
and a*^' = a°j(= On) xi = X 2 & cr* '(ri) = ri. Now given c' as above we 
can find 6 G p[Mi] such that c'6 and c*"6 realizes the same quantifier free type 
as a°"a*', hence cEb & c'Eb hence cEc'. Easily we are done proving 

Kl p[Mi]/E has cardinality > (s^(|[M^||)l“l • (|g*|/|g|). 

[Why? Clear by Kl and Definition 3.1.[ 

This number is > (s^(|[M^ ||)I“I/| m|!. Hence if |m| > q* as s^(||M|[) > fc* = q*k > 
|u| > q* (see assumption (d)) the number is > (s£(||M^||))'^ ~^^/{q* + 1 )! which 




Choiceless Polynomial Time Logic: Inability to Express 113 



by assumption (d) is > t^(||M^||) and we get one of the allowable answers in 
Definition 2.1(4). So we can assume that |u| < q* and this gives the second 
possibility so we have finished proving (*)2- 
Let 



{/ :/ is a partial embedding of M\ into M 2 
with Dom(/) having < q*k members}. 



(*)3 ^is a (fc, s)-witness to the equivalence of (i^,ti) and (i%,t2) 

[why? straight.] 

So we can apply 2.22 and get the desired result. Da. 3 

Lastly, we can conclude the answer for the question in [BGSh 533]: 

3.5 Theorem. 1) Assume i. € {2,3,4, 5}, r = binary symmetric ir- 

reflexive, p G (0, 1) and T are given and each t € T is bounded by a poly- 
nomial. The logic .iff (jSff.o. ) (r) satisfies the undecided 0-1 law for finite ran- 
dom enough model, that is graph with a fix probability p G (0, 1) which means; 
if 0i = 0r,x,t € -5ff (.iff,o,)(T) and 9 q = 0r,-.x.t then {Min{Prob{.y^n \= do), 
Prob{.J^n H ^1)} ■ n < to) converge to zero^ , where ./#„ is G(n,p), the random 
graph on n with edge probability p. 

2) Moreover also the undecided^ 0 — 1-law hold; which means: 

if 9\ = 0T,x.t G .iff (-iff.o.)(T) and Oq = ^T,-.x,t then for some I G (0, 1} the 
sequence {{Prob{./£n \= 9 : n < ui) converges to zero, 

3) Similarly for any fixed (finite) vocabulary r consisting of predicates only p = 
{Pr: RG t),pr G (0, 1)b- 

Proof. 1) Let 9o,9i,T,x,t be as above and e > 0. Let s be large enough such 
that assumption (e) of 3.3 holds, choose k = 3s so assumption (b) there holds. 
We choose as s(n) = {n — k) x (Min{p^/2, (1 — p)^/2}) and let q* be integer 
> 0 such that for n large enough s(n)'^ > t(n)(g* + 1)! and let k* = q*k. 

Let n be large enough and be random enough (for G(n,p)). We would 

like to apply Claim 3.3 with Mi = M 2 = and T, y as in the definition 
of 6q, 6*1 and ti = t2 = t and Si = S2 large enough. This is straight, noting that 
the case of the truth value of 0i in is undefined, i.e. we run out of resources, 
just help us. 

2) Similarly, this time for n is large enough, n\ > n,U 2 > n and are 

random enough (for G(ni, p), G(ri2, p) respectively). 

3) Similarly □3.5 

3.6 Discussion : 1) It is reasonable to consider the undecided law if we know 
that the {Nt[Mi,T ,ti], Pt[Mi,T ,tf\) for t' = 1,2 are quite equivalent for every 

®We do not ask that for some i < 2 the probability for the satisfaction of 9( converges to 
1, as the decision when to stop may be complicated. If we e.g. use an inside “clock” to tell us 
when to stop, this disappears 
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t, when 1 1 Ml 1 1 = HM 2 II, but we do not have information otherwise. 

2) We might prefer to have the usual zero-one law. There are some avenues 
to get (at some price), see also 3. 7, 3. 8 below; we may consider all sentences, 
1 G {2, . . . , 5} and the usual 0-1 law. 

We have to try to use t which tries to diagonalize the right sets. That is, using 3.3 
for ti = t 2 = t, we can get strong enough equivalence of N^[Mi,T],N^[M 2 ,T], 
which is fine if ||Mi|| = HM 2 II < HM 2 II, so it is enough if Nj^[Mi,T], Nj^^[M£,T] 
with t\ = tJMi,T,ti],t 2 = tt[M 2 ,T,fi] and choose t such that they are quite 
equivalent. As in we can define N f {0,...,t — 1}, this requires 

tdlM^II) to be quite large compare to ||M^||. So we can get our desired 0-1 laws 
and all possible I’s, but for a logic remote from our intention. 

On the other hand, we may restrict our family of sentences (here) 

3.7 Theorem. If in Theorem 3.5 we restrict ourselves to the good sentences, 
i.e. the logic is (.j2f,o.)®°°'^ and l G {2,3,4, 5}, then the usual 0-1 law holds. 

Proof. Similar. 03.7 



3.8 Theorem. 1) Assume l G (2,3,4, 5}, t = (i?},i? binary symmetric ir- 
refiexive predicate, p G (0, 1)r and T are given and for each t G T for some 
integer r and s G (0,1/2)r we have 0 = lim{t{n ) / : n G N) and 
00 = lim{t{n ) / : n G N). Then the logic satisfies the re- 

sults in 3.3 - 3.7. 

2) Similarly for any fixed (finite vocabulary t consisting of predicates only, 
p= {Pr. RG t),Pr G (0, 1)r. 



Proof 1) Suppose that M* ^ and this because in stage t* the run stop, 

i.e., in a good way; and assume further that M is random enough graph (for 
our given T and x)- We can find for £ < £* such that Ei is a quantifier 
free formula with 2mi variable defining an equivalence relation on pi{M) for 
every random enough graph M, pi{x) a complete quantifier free type with 
variables said to be pairwise distinct. We can find non negative integers for 
£ < £*,t < t* such that: if M is random enough graph and Nt = iVt[M, T] 
then \\Nt\\ = M) / Ei\. Now the expected value of |(’”'^M)/if^| is of 

the form p' x binomial(n, m^) for some constant p' . The distribution is similar 
enough to normal (see [Sh 550]) to ensure that the run on will not stop for 
t < t* for over using resources. 

2) Similarly Da s 

What we have done for random graphs we can do to unary predicate. The 
point is to replace claim 3.3 by a parallel one (the rest will follow). 

3.9 Claim. 1) Assume that the vocabulary t is {P}. P a unary predicate and 

(a) q^,q~ ,k are integers > 1 and h is a decreasing (not necessarily strictly) 
function from (0, 1 , ... , g"*"} to (0, 1 , ... , q~}. 
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( 6 ) s is an integer < k but > 0 

(c) M, = fore =1,2 

(d) if q< then 

(i) t^dlM^II) is at least x \{Mt> \ 

{ii) t^dlM^II) is strictly smaller than 

binomial(|P^d. 9 + 1 ) x binomial(|M^ \ P^d. ^( 9 )), 

{Hi) t^dlM^II) is strictly smaller than 

binomial(|P^d. 9 ) x binomial(|M^ \ P^^\,h{q) + 1 ). 



2) The parallel of 3.5- 3.8 holds 

Proof. Similar but letting le = {A C Mf. for some g < g'*' we have \AnP^‘ \ < q 

and |A\P^d <%)}• ns.g 

3.10 Definition. 1) We say M is a r-model with fc-elimination of quantifiers 
if for every subsets Ao,Ai of M, |Ao| = |Ai| < k and an isomorphism / from 
M f Aq onto M \ Ai and Oq G M there is Oi G M such that / = / U {(oq, Oi)} 
is an isomorphism from M f (^0 U {oq}) onto M \ {Ai U {ai})- 

2) We replace “quantifiers” by “quantifier and counting” if we add: and the 
two sets {oq G M : aQ,ao realize the same quantifier free type over Aq} and 
{a'l G M : a'i,a\ realize the same quantifier free type over Ai} has the same 
number of elements (we can then get it to equivalence relations on m-tuples). 

3.11 Claim. 1) Assume (a), (b), (e) in 3.3 replacing first order by counting 
logic and 

(c)“ (a) Ml are r-models which has k-elimination of quantifier for £=1,2 
(/3) if ip{x, y) is a quantifier free formula defining an equivalence 
relation and eg{x) = £g{y) < k* then the number of classes is 
> ti{Mi) for £= 1,2 or for some u C [0, £g{x)) with < q* 
elements, some (p'{x \ u,y f u) defines the equivalence relation 
in Ml and in M 2 

( 7 ) if 2r s < k and for £ = 1,2, di G ‘‘{Mi),x^ = {x{ : i < s), 
for j = 1,2, 

Tt = 1 di) is first order and defines in Mq 

an equivalence relation Ei and ipi = ip 2 and 
the quantifier free types of di in Mi and 0,2 in M 2 are equal, 
then Y {Ml) / Ei\,Y {M 2 ) / £ 2 ] are equal or 
r(Mi)/Pii >ti(iiMiii) & r(M2)/P2i >t2diM2ii). 
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Then 

© z/ i G {1 - 7, 11 - 17, 21 - 27} then Mi 0r,xM ^ ^2 • 

2) We have a theorem like 3.3, 3.8 (for l as above) using 3.11(1) instead of 3.3. 

3) We can in parts (1), (2) and in 3.3, 3.5, 3.7, 3.8 replace T£i,o, by T^i.o. + na- 

Proof. Straight. 

3.12 Claim. 1) Choiceless polynomial time does not capture counting logic. 

2) Similarly for the pair (j2f (.5ff.o.), (.iff.o.+„a)), the pair (j2f.o.+na), 
.^(.S^card)) and the pair (.J^(j§ff.o.+na),-2f (.ifcard.x))- 

3) We can apply 3.11 to show that the pairs {M),Mf() of models from [GuSh 
526] are not distinguished by our logics (for a sentence 9 for n large enough. 

Proof. 1) Use 2.22, 3.9 on the question: \P^\ > ||M||/2 with r = {Pj. 

2) ,3) Also easy □ 3.12 

3.13 Remark. : Y. Gurevich asks for 0-1 laws, as in 3.3 - 3.8, for the general 
framework of §2. The answer is quite straight by 3.14, 3.15, when we use constant 

/. 

3.14 Definition. Let r be a fixed vocabulary consisting of predicates only. We 
say M is (s, /c)-random model if: every quantifier free 1-type over A C M, | A| < k 
(not explicitly inconsistent) is realized in M by at least s(||M||) elements. 



We are, of course, using 

3.15 Claim. Let k,s > 0 be integers, let r = symmetric irreflexive 

and p G (0, |]r. The probability that: for .Mn a G(n; p) random graph (so 
set of vertices in [n]), (./#„,/) is not {s,k)-random is < S£<fcbinomial(n, £) x 
Proh (flipping n — £ times a coin with probability p/2^ for a head we get < s 
heads). 



§4 Relating the Definitions in [BGSh 533] to the One Here 

4.1 Discussion If we just like to replace the creation of iVt[M, T,t] by ASM, 
we can note that we can straightforwardly code the actions of the ASM by a 
monotone T; the waste is small except that we are not allowed to omit old 
elements so for fine measurements this make a difference. But we can just 
replace T, t] by a situation of the ASM with no lose and no real difference 

in the proofs. Still, the reader may instead of just accepting or understanding 
this observation choose to read the formal translation below. Though this seem 
trivial, writing the details of a translation is tedious. 

4.2 Discussion : How do we relate between the definitions above and [BGSh 

533]? 
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(z) an infinite structure I there corresponds to a r-model here 

(а) a state A there corresponds to a model of the form N = Nt[M, T] in 1.3 
and {N, P) in 1.8 

(Hi) dynamic function there corresponds to Ptj here 

(iv) an object x is active at A in 5.1 there, corresponds to x € N 

(v) a program 5.7 there corresponds to an T in 1.1(2) here (mainly the first 
order formulas used); 

(vi) the counting function in 5.5 there corresponds to the cardinality quanti- 
fier (1.1(6)) here 

{vii) the polynomial functions p,q in 5.1 there corresponds to G T 

here 

(vUi) the logic there corresponds to .iff’(^,),^, G {^f.o., J2(.o.-i- na,.^card} 
here. 

If we insist on Pi being individual constants this still can be done with a price. 
The Pt+i,i can in the usual set theory manner be actually 7-place function from 
Nt to Nt or 7-place relation on Nt, or be the universe of Nt. Understanding 
this to interpret the successor step there to here we need that all parts of the 
program are expressible in Af{,o. (or jSfcard)- For the other direction we need to 
show f.o. operations can be expressed by the programs of ASM there (see 6.1 
there), no problem (and not needed to show our results solved problems there). 

4.3 Lemma. 1) Let n he a program concerned with t -models (in [BGSh 533, 
4-7]’s sense). We can find a natural number r* > 1 and T such that: 

Kli(a) T is an inductive scheme in -2f,o. with = r'^ 

(б) for every integer polynomials p{n),q{n) and r-model M such thatpfn) > 
2,q{n) > n -I- 2 we have M |= Or,p*{n),q*(n) (in the sense of Definition 
1.3) iff M \= TT (in the sense of [BGSh 533]) when 

(*) p*{n) = 3-1- r*p{n),q*{n) = 2 -\- 2q{n). 



2) Ifit is as in [BGSh 533, %11[, that is with being able to compute the cardinality 
of M (= set of atoms) then a similar result holds but T is in -e na- 

3) If it is as in [BGSh 533[ for cardinality logic (see there), then a similar 
result holds but T is in -Sfcard and spaces do not use 0T,3-i-n-i-r*(p),2-i-n-i-2g(n) • 

4) We can replace p,q by arbitrary function from S' and get similar results. 



Before proving 4.3: 

4.4 Observation. 1) If we identify truth, false with the sets 0, \M\ and mi is as 
in 1.1, then the state (for tt, i.e. T there, etc.) of [BGSh 533] are the same 
(M, mi)+-candidate here when we identify a state there with its set of active 
elements (O.K., as they carry the same information). Sometimes we use any 
transition set C Voo{M) containing the active member. 
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The main point is 

4.5 Claim. Let tt be a program concerned with r-models and the states corre- 
spond to candidates. 

1) For every term a for some natural number r(cr) (actually at most its depth) 
and pure inductive scheme T which is monotonic and i/’o = [j/ = a^o] we have: 

Kli if{Ni,Pi) is a {M,m.i)-candidate for i = 0, . . . ,r{a) and Pi^i) is 

the {M,T)-successor of {Ni,Pi) and ( is a variable assignment of x, a 
sequence listing the free variables of a into N^, then the interpretation 
from a under ( in Ni satisfies d =: valNtxi'^) ^ 

2) Moreover in (1) we can find also formulas {'tpi^r{x,yi,z) : i < mj ,r < r{a)) 
such that 

KI 2 in Ml above we can add: 

iff < i’(c) and let N( = NQ\j{TC{d)C\Nr) where TC is transitive closure, 
then = Nr U {a : for some b € (N(, P) \= 'tpe, 2 {o-, b, C)} 

(identifying ( with a sequence of members of Nq). 

3) For every rule R (see [BGSh 533, 4-5]) there are r(R) G N and an inductive 
scheme T in jSff.o. such that (Pq is zero place relation): 

^3 if {Ni,Pi) is a {M,T)-candidate for i < r(R) and {Ni+i, Pi+i) is the 
T-successor of {Ni, Pi) for i < r(R) and Pip = truth, then i < r(R) 

Ni C Nipi, the stationary (-^i(R) , ) is the R-udpate of {Nq, P(f), 
Pi,r(R) = truth where P~ = P f 

4) In (3) we can even have 

KI 4 Nr = Nq\J {x : X active in Nr*}. 



Proof. 1) By induction on the term. 

2) As Nrp 2 can be (uniformly) interpreted in Nr. 

3) By induction on the rule R. Di.s 

Proof of 4-3. 

We describe what is an T-successor rather than let r* = r(R’^) + 1, R’^ is the 
rule which tt is. Then say formally what is T. 

Now the predicates (and function symbols) {P)f : k < mj} serve some pur- 
poses: 

kind 1 : The dynamic predicate and function symbols of tt, say Pk for k G ic(l), 
say Pfc(i,o) will denote 0, Pk{i,a) will denote the set of atoms. 

For notation simplicity 

kind 2 : Pfc( 2 ,o) unary predicate will serve to denote the set of active elements; 
and 
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kind 3 : Pk{ 3 ,i), ■ • • , ffc( 3 ,r*) will be zero place relations, they will denote the time 
modulo r*, say for t = 0 they are all false; for t = 1 we get true, true false ..., 
for t = 2 we get true, true, true, false... (without loss of generality r* > 3 for 
t = 3 + r*s + r, r < r* we have Pfc( 3 ,r') = r' = r). The reason is that in our 
translation one step for tt will be translated to r* steps in the construction of the 
NtS and the translation begins only with t = 1. Now we can describe almost a 
translation. 

Now T is such that: 

(а) iVi[M,T] is MU{M,0}, 

N 2 [M, T] is Mi[M, T] U{1}, recall 1 = {0} 
iV 3 [fV,T] is Ni[M,T]U{l,2}, 

(б) if t* = 3 + r*s, then Pt*,k{ 3 fi) = true, Pf,fc( 3 ,i), • • • , Ct.,fe( 3 ,r-*) are false 
and we take care that Pt*+r,k{ 3 ,r') = r' = Q mod r* for r' < r* and 
{{Nt*+ 2 ,Pt*+r) '■ i < i’(R'*)) is as in 4.4(3)+(4). Moreover Pt*+r* = 
-Pf+r(R*) and Nt*+r* is the set of active members of (iVt._|_r(R*), Pf+r(R*). 

Well, as in 6* = 9r,i+r*p,q and r = 1, the stopping decision for time will be the 
same, but we still have to deal with the space (up to now using r + r*p would 
be O.K.). However, between t* and t* + r* we have to preserve Nt* till creating 
-^i*+r(R*) and only then can we omit the elements of Nf no longer necessary. 
So we will have 

kind 4 : individual constants Pk{ 4 ,i), Pk( 4 , 2 ) 

(c) if = 3 + r*s then: Pt^k( 4 ,o) < Pt,k( 4 ,i) < Pt,k( 4 . 2 ) are the three last 
ordinals, Pt,k( 4 fi) is an active ordinal but not Pt,k( 4 ,i),Pt,k( 4 , 2 ) and x € 
Nt» is active iff Pt,k{ 4 , 2 ) U a: G fV**. 

So \\Nt* II = 2 + 2||{a; G Nt^ : x active}||. 

Now starting with Nt* in deciding Nf we omit and non-active elements except 
the two last ordinals and then do as earlier by 4.4(3)-|-(4) for r = 1, . . . ,r(R’^) 
taking care to have the right natural numbers. 

So defining we take care of the “doubling”. 

2), 3), 4) Similarly. D 4.3 

Less critical is the inverse relation 

4.6 Lemma. 1) Let T be an inductive scheme for .iff.o.T = 7, r = r^,x G 

(t). 

Then we can find r* > 1 and a program tt for the same vocabulary as in [BGSh 
533, %4] such that for every integer polynomials p{n), q{n) and t - model M such 
that: 

M \=i 9r,x,p,q (see Definition 1.3) iff M \= it where it = {7r,p*,q*) 
and \= is as in [BGSh 533, %)] where: p*(n) = r*,p*(n) -br*, q*{n) = 
q{n) -b 2 
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4.7 Lemma. 1 ) Ifir is as in [BGSh 533, %11], that is with being able to compute 
the cardinality of M (= set of atoms) then a similar result holds but T is in 

+ na- 

2) If Tt is as in [BGSh 533] for cardinality logic (see there), then a similar 
result holds but T is in -Sfcard and spaces do not use dr,3+n+r*{p),2+n+2q{n)- 

3) We can replace p,q by arbitrary function from T and get similar results. 



Proof. 1) We ignore too short runs for simplicity. The “q{n) = q{n) + 2” comes 
from [BGSh 533] starting with two extra elements so during the computation we 
preserve having two entry elements (except when we notice we are to stop-see 
below) . 

Now every step of the computation for tt is translated to r* step during the 
computation of the Nt[M, T]'s. 

What do we do in those r* steps? First we compute the relations on Nt definable 
first order subformulas of the 'ipe. We also translate x to be equivalent to what 
should be in the next state and then add the new elements (so Nt+i ^ x 
computed in Nt, as in 4.4). 

2), 3), 4) Similar to part (1) -I- 4.3. 

[How do we “compute” the first order formulas? Where P^(^x) code ‘p(x), we of 
course represent all subformulas and do it inductively.] 

Atomic are given 

negation is by “if P<^(s)(a) = truth then P^(x){d) = false, else Pip{a) is truth 
(and appropriate “for all” also adding dummy variables is possible by “for all” . 
For conjunctions Lpjx) = (p\{x) use “ifP,^( 2 )(a) = truth then (a) = P,^ 2 (x)(a) 
else Pip(x){d) = false. 

For existential quantifier . (p{x) = ( 3 y)'ip{y, x) use 

“if P,f,(x,bary){d) = truth then P^p(^x){d) = truth else do nothing”. ^4 3 



§5 Closing Comments 

We may consider a context is {K, such that logics related to our proof in §2. 
The first version in 5.1(3) changes the satisfaction the second (in 5.1(4),(4A)) 
changes also the syntax. 

5.1 Definition. 1) A context is a pair {K, such that 

(а) AT be a class of models with vocabulary (= the set of predicates) r 

(б) .y is a function 

(c) Dom(j^ = K 

(d) J^{M) is a family of subsets of M, whose union is |M|, and closed under 
subsets. 

lA) We call (AT, invariant if 

(e) c^is preserved by isomorphisms, i.e. if / is an isomorphism from Mi G AT 
onto M 2 G AT and A G J^(Mi) then /”(A) G J^(M 2 ). 
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IB) We say “/ is an J^-isomorphism from Mi G K onto M 2 G K” if / is an 
isomorphism from Mi onto M 2 such that J^{M 2 ) = {f’{A) : A € 

Recall that y{M 2 )[k] = {U A^:Aee 

2) In 1) let 

Seq^(M) = {a : a a sequence of members of M of length a, Rang(a) G <y(M)}. 

3) Let ^i.o. or jSf= recalling that the logic for A, k cardinals, 

is defined like first order logic but we allow conjunctions of , for a < A and 

i<.OL 

existential quantifier (3a;) with x a sequence of variables of length < k, and 
the depth of the formulas is < a. We define = ^aLqi fogies with the 
same syntax but with a difference in the definition of the satisfaction relation, 
M ^[a] or (M, (f{a) is defined inductively on a as usual, except 

that 

(*) we demand Rang(a) G J\M][k] (otherwise not defined) , that is 
Mh^(3x);p(x,6)iff 

Rang(6) G J\M][k — 1] and for some a G ^sfo^M with 
Rang(a) G J^{M) we have M \=’yip[a,b]. 

Let °^^,K;+nai -^A,/i;card,T defined similarly (so 

M hf' 3'^x(fi{x,b) iff (6 G ^s(^»M), Rang(&) G ^{M)[k - 1] 
and /i = |{a : {a} G I and M i^[a, 6]}|. 



Omitting a means some a. 

If A, K,a are omitted they are Hg (so La.^.o is first order). 

4) We define a logic a- define the formulas in a induction 

on a, each formula (p has the form <~p(xQ^ Xi, . . . , Xfej_i), k\ < k, where the x^s 
are pairwise disjoint sequences of variables of length < k (so if /t = Hg, finite 
sequences) and every variable appearing freely in ip appear in one of those se- 
quences (so any formula is coupled with such (oig, . . . , Xk-i-i), probably some not 
actually appearing). 



g = 0 : quantifier free formula; i.e. any Boolean combination of atomic ones 
(with the right variables, of course). 



a 4- 1 : a non-limit (p{xo , . . . , Xki-i 
formulas of the form (3y)'ip{xig , . . . 

-^A.k.q- 



) is from ^ or is a Boolean combination of 
where *2 < k,ip{xig, . . . ,Xi^^_^,y) G 



odimit: 




f}<a 
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g + 1, g limit : a+i of (/? G L a or ip a, Boolean combinations of 

members of k, a of the right variables. 

Let -4*1.0 = U 4;l,a and and = 



U and .idfc] = and = \J L^. 

(3<a k<Lu 

4A) We now define a satisfaction relation M ^ (f{ao, ■ ■ ■ , hfei-i) where k\ <k 
(depending on 

I.e. we define by induction on g, for <p{xo, . . . , Xk^-\) G .i^fL a> ^ Seq^'^'^^(M), 
when does M ^ ip[aQ, . . . ,a,k^-i\ and when M |= ->ip[aQ, . . . ,ak^-i]. This 
is done naturally, in particular M ^ (3y)(p{ao, . . . ,a,k 2 - 2 ,y) iff for some b G 
Seq^^^(M), (so Rang(6) G ^{M)) we have M ^ <p[ao, • ■ • ,Ofc 2 - 2 ,^]- 

5) We can define for ^ one of the above, similarly adding the quanti- 
fiers [ip' {x]z) /ip” {x,y,z)] saying: ,... ;z) define an equivalence relation 

on {a; : p'{x)} with exactly s equivalence classes. 

6) We can above replace models M by pairs C closed under 

subsets. 



5.2 Discussion : We may replace M by M+, adding elements coding each A G 

with decoding by functions, but 

(а) this does not capture and 

(б) for this requires infinitely many functions, we need to actually code 
any sequence listing each A G 

Still this framework seems to work quite smoothly for its purposes. We could 
have made it more central (use 5.5 below). 

Note that 

5.3 Observation. For any /c-system "3^ and 3 and mf -lifting of 3^, letting = 
M we have 

^^3 = (iV3,{A : (3/ G ^[Dom(/) & k A C Dom(G(/))]}, {G(/) : / G ^}) 



is a fc-system. 



Now easily (and it makes a connection with §1, §2): 

5.4 Observation : 1) Let {K,J^ be a context and Mi, M 2 G K he (finite as 
always), r-models, r a vocabulary, and k < u). 

The following are equivalent: 

{A) there are fc-systems 

3^1 = {Mi,^{Mi),^i) for £ = 1,2 and J^as in Definition 2.21(1), (2) 
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(B) for every sentence ib S (r) we have 

(C) for infinite A, k, a, for every sentence ip G \ q,(t) we have 

Ml hIJV' 

(D) for every t and infinite A, k, a for every sentence ip G a("^) have 

^full ^full 

N Ip ^ N ^2.t V' where N is defined in 2.13(7) 

r ^1 h 

rsfull 

and ly = {Dom(/) : / G G ®<‘}. 



GI5.4 



Proof. Straight. 



5.5 Definition. 1) We say T (from Definition 1.1) is pure if mi[T] = 0 so no 

Pe- 

2) Let '3^ = be a /c-system; let “3* is the full t-successor of 3” be 

as defined in 2.13. We define by induction on f;3t = 3*[^t] as follows: for 
t = 0,fV3‘ = M,pf is the empty set, G^* is the identity on ^ and R? = 
{(Al, a;) : A G I, X G A}; for t = s + 1 let 3* be the full t-successor of 3®- Let 
{B : B C S'3(a 1) for some A G 1} where <S'3 (a1) = S' 3 ^a = {x G 
: A is a 3-support of x}. 



We can also see: 

5.6 Claim. 1 ) Assume 

(a) 3^i = {Ml, J’l, ^() is a t-dichotomical k-system for £=1,2 
{b) yt=MMi,h], so 3t+i successor of ’il- 

Then the following are equivalent: 

(a) (Ml, /i), (M2, 12) are equivalent 

{j3) for every t < co the pairs {M^* , I^*), (M^*,/^^) are -equivalent. 

2) For any given {M,I) there in a sentence ip G ('^’m) satisfied by {M,I) 
and implying any other sentence ip' G 7/^,00(171) satisfied by {M,I). 

5.1 Remark. 1) So in part (2) we can apply 2.22, 2.23, 2.24. 

2) Note that by 5.3, satisfies addition theorems. 

5.8 Fact : For any T we can find T' which is equivalent if we use in Definition 
1.3 the case i = 4 (well when t(||M£||) always is > 2). In fact, we can reconstruct 
(i.e. define by a formula in jSf*) the sequence of {Pt,i :t'<t) in Nt. 
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5.9 Conclusion 1) Assume is counting /c-system (see 2.3). Then we can define 
Rt,Gt for every t {Nt the “computation” in time t) such that 

{M,Po,Go,Ro) is 0-lifting 

{Nt+i, Pt+i,Gt+i, Rt+i) is a lifting, successor of {Nt,ct,Gt, Rt)- 
2) So the formula the (p defines is preserved by / G 
Proof. Straight. 



* * * 

5.10 Discussion : 1) In §2 and in 5.5 we can allow infinite models M and define 
Nt[M] = Nt[M,T ,t] for every ordinal t, for this better assume T is standard, 
monotonic and pure (or strongly monotonic, i.e. demand PepM,T ,t] is in- 
creasing with t] for t limit we take union and so V^[M, T,t] = U{A^q[M, T,t] : 
a an ordinal}, see below. Now as in the case t = 4, the analysis in §2 works for 
this but it is not clear if we can get any interesting things. 

Note that those definitions remind us of Godel’s construction of L, particularly of 
La+i from La, and the Frankel-Mostowski models (which use automorphisms). 

May can this give interesting proofs of consistency for set theory with no choice 
but with urelements? It seems they can be reduced to the classical case. 

2) We can prove various equivalence and 0-1 laws by 5.5, by proving that the 
relevant model JVt can be interpreted in ff[M, /] from 5.5, using f.o. logic which 
suffices. 



Proof. Straight. 
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1 Introduction 

Two schema problems from the 1970s are examined, monadic recursion schemes 
and first-order recursion schemas. Research on these problems halted because 
they were shown to be equivalent to the problem of decidability of language 
equivalence between DPDA (deterministic pushdown automata) . Recently a de- 
cidability proof for equivalence of DPDA was given by Senizergues imm , which 
therefore also solves the schema problems. However Senizergues proof is quite 
formidable. A simplification of the proof was presented by the author H3| using 
ideas from concurrency theory (for showing decidability of bismilarity f9l1 2j ) and 
crucial insights from Senizergues’s intricate proof. 

In this abstract we concentrate on first-order schemes and we outline a so- 
lution, based on the DPDA equivalence proof, which is reasonably close to its 
original formulation. We make use of Courcelle’s work m, which shows how 
to reduce this schema problem to decidability of language equivalence between 
strict deterministic grammars. And the proof in |I3] of decidability of DPDA 
equivalence proceeds via (a small extension of) these grammars. 

2 Monadic Recursion Schemes 

A monadic recursion scheme, following Garland and Luckham jH] , is defined rel- 
ative to a set of basis monadic functions F = {/i, ■ • • , //c} and a set of predicates 
P = {Pi, . . . , Pi} as a finite family 

Fix if PiX then aiX else Pix 

d©f 

FnX = if PnX then a„a; else /3nX 

where each F^ is distinct and each and f3i is a string of defined and basis 
functions, a member of (F U DF)* when DF = {Pi, . . . , Pn}, and each Pi G P. 
The scheme is usually identified by the initial defined function Pi . 

def 

Example 1 A simple example is Fx = if Px then fx else FF fx. □ 



P. Clote and H. Schwichtenberg (Eds.): CSL 2000, LNCS 1862, pp. 126-|^^ 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 
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A computation of a scheme is defined with respect to an interpretation I 
which fixes the meanings of the basis functions, predicates and variable. An 
interpretation I over a non-empty value space I? is a mapping such that I (x) G 
D, I{fi) G D ^ D and I{Pi) S D — 1 A computation relative to I is 

then defined using the following transition rules 

Fix ^ Fid if I{x) = d Sfid^Sd' if I{fi){d) = d' 

SFid^Suidif I{Pi){d)—tt SFid^Sfdidif I{Pi){d) — ff 

The value of a scheme Fx relative to I, written Vali{Fx), is a member of D±. If 
Fx — >* d then Val/(Aa;) = d and if the computation never ends Val 7 (J^a;) =_L. 

Two schemes F and G are strongly equivalent, written F ~ G, if for all 
interpretations /, Val/(Fa;) = Val/(Gcc). The classical equivalence problem for 
monadic recursion schemes is to show whether or not there is a decision procedure 
for F ^ G. For background and significance of the problem, see Garland and 
Luckham and references cited therein. 

An interpretation / is free if the domain D = F*{a:} and /(/) = / and 
I{x) = X. The result of a computation relative to a free / is a word (or _L). 

Example 2 Let / be the free interpretation for example 1 where /(P)(/"a:) = tt 
iff n > 0. Therefore Fx — >■ FF fx — F f fx — 1 fffx, and Val/(Fa::) = fffx. 
In contrast, if I{P){f"x) = tt iff n is odd then Val 7 (Fcc) =T. □ 

Relationships with language theory were underpinned by the following result 
in Garland and Luckham. 

Fact 1 F ~ G iff for all free interpretations /, Val 7 (Fa;) = Val 7 (Ga;). 

Garland and Luckham showed that the decision problem for schemes reduces 
to the problem of decidability of DPDA, and Friedman showed that the con- 
verse also holds using jump DPDA pj. We shall now provide a cleaner variant 
reduction to the DPDA problem, inspired by these authors. 

First we assume a “Greibach” normal form for a scheme. In Fi if PiX then 
aiX else (3iX each at and fdi has one of the forms e or fj or Fj or Fjfk or FjFk. 

It is straightforward to transform a scheme into normal form by adding auxilary 

d0f 

definitions. For instance, example 1 becomes Fx = if Px then fx else Gfx and 
Gx if Px then FFx else FFx. 

Let B be the set of boolean arrays of size L If 6 G B then bi is the ith entry of 
b: the idea is that bi = tt means that Pi is true. A stack symbol is an element 
of DF, a state is a boolean b and the alphabet consists of elements bfb' where 
/ G F. A configuration of the DPDA has the form bS where <5 G DF* is a sequence 

of stack symbols. Transitions have the form bS b'6' or bS — ^ b'5' . Let be 

def 

the reverse of <5. Assume a scheme with definition Fx = if F^x then ax else Px. 
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Basic transitions for bF are determined from the scheme as follows. 

bF b'a' if either bi = tt and = fa' 

or bi — ff and (3^ = fa' 

bF — ^ ba' if either bi — tt and a^ = a' and a S DF* 

or bi = ff and /3^ = a' and j3 G DF* 

There is also the prefix rule, if bF — ^ b'a' then bFS — ^ b'a' 6. Basic transitions 
obey the following two deterministic properties: 

if bF — ^ b5 then not(6F b'5') for any b' 5' 

if bF b'5' and bF b"S" then b' = b" and S' = 5" 

The result is therefore a DPDA. 

The language of a configuration b5, written L{bS), is the set of words w G 
(B X F X B)* recognised by bS using these transition rules, where e-transitions 
are swallowed in the usual way, and assuming empty stack acceptance, L(b6) = 
{w : bS b'e for some b'}. The following is a consequence of Fact 1 and the 
construction. 

Proposition 1 F ^ G iff for all b, L{bF) = L{bG). 

There is a routine transformation of a DPDA into a context-free grammar 
(which is strict deterministic 117 181 . more on this later). First one transforms the 
DPDA into normal form where e-transitions only pop the stack, by examining 
what happens under repeated basic e-transitions. Next one transforms the nor- 
malised DPDA into a context free grammar whose nonterminals are triples of the 
form bFb' and whose alphabet is the same as that of the DPDA. The idea is that, 
for instance, a basic transition of the DPDA of the form bF — ^ b"GF{ becomes 
in the grammar the family of transitions for each b'" , bFb' — >■ b" Gb'" b'" Fib' . 
Hence the language accepted by the nonterminal bFb' , L{bFb'), is the set of words 
w such that bF b'e. Hence F ^ G iff for all b and b', L{bFb') — L{bGb'). 
Decidability of monadic recursion schemes follows from the following theorem. 

Theorem 1 It is decidable whether L{bFb') = L{bGb'). 

In this abstract there is only an intimatation of the procedure in section 4, 
because we shall concentrate on the second schema problem. 



3 Recursive Program Schemes 



A recursive program scheme, following Courcelle P2I, is defined relative to a set 
of basis functions F = {fi, ■ ■ ■ , fk} and a set of basis variables V = {cci, . . . , x;}. 
Each basis function / has an associated arity p{f) > 0, and therefore need not 
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be monadic. A scheme is a finite family of the form 



Fn ( ^ 1 7 



J = tn 



where each Fi is distinct, and has an associated arity p{Fi) = rrii, and where 
terms U are built from the basis and defined functions and variables, and there- 
fore have the form Xj or fj{ti , . . . , or Fj{ti , . . . , A scheme is again 

usually identified with its head function F\. We let DF be the set of defined 
functions. 

Example 1 A simple example is F{x) f{F{gx),g{x)). 

The interpretation of a scheme is either the undefined tree or a completed 
tree whose depth is finite or infinite and where internal nodes are labelled with 
elements of F and leaves are labelled with elements of V. The following transition 
rules generate the tree and they are applied down the depth of the tree starting 
with Fi(xi, . . . 



Fi{ti, . . . , > ti{ti/xi, . . . , i / X pl^Fi)} 

if t' — > t", 1 < j < p(fi), then . .,t'p^f.)) — > . . . ,tp(^.)) 

where {•/•} is simultaneous substitution. For instance in the case of example 1 

Fx — )> f{F{gx),gx) — )> f{f{F{ggx),ggx),gx) — )> . . . 

The value of a scheme belongs to the family jy of appropriate trees. 

Alternatively one can view as a domairiJof trees. The meaning of a scheme 
is the least fixed point with respect to the free tree interpretation, following 
Damm m- In the case of example 1 



E°(x)=T F^+^x) = f{F\gx),gx) 



So F"^{x) = /(((/ l),ggx),gx). The resulting tree in is F^{x) = Ui> 0 '^*(®) 
which is the meaning of Y{XF. Xx. f{F{gx), gx)){x) with respect to the free 
interpretation. Thus schemes are only “first-order”. Higher order schemes are 
considered by Damm 01 - 

Two schemes F and G with arity n are equivalent, written A ~ G, if they 
produce the same tree, that is if F^{x\, . . . , x„) = G^{x\, . . . , a;„). The classical 
equivalence problem for recursion schemes is to show whether or not there is a 
decision procedure for F G. For background and significance of the problem 
see m and references cited therein. 

^ With ordering TC T and Ti IZ T/ for each i implies . . . ,Tp(^j .)) C 
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The equivalence problem for schemes was shown to be interreducible to the 
DPDA problem by Courcelle j2], via grammars. A key idea is to represent a tree 
T S as the language of its finite branches, B{T). The following finite tree 
f{g{xi,X 2 ),f{xi,h{x 3 ))) is given as {f^g'^xi, f^g^X 2 , P f^xi, p ph^xz}. Each 
word is a branch. One splits each basis function / of arity k into terminal symbols 
P,...,P reflecting the different directions that can be taken to obtain the 
branch. In the case of T generated by example 1 above B(T) is the deterministic 
context-free language {pg^x, PPg^g^x, PPPg^g^g^x , . . .}. 

If T = T' then B(T) = B{T'). But the converse need not hold. Consider 

the trees generated by the schemes Fx f{Fx) and Gx g{Gx). These trees 
are not “locally finite” 0. A tree T is locally finite if whenever m is a prefix 
of a branch of T then there is a finite word v such that uv G B{T). Locally 
finite trees with the same branch language are equal. It is straightforward as 
Courcelle notes to guarantee local finiteness by increasing the arity of the basis 
functions by one and adding a new variable. Consider the transformed schemes 
Fxy f{Fxy,y) and Gxy g{Gxy,y). Two schemes are equivalent iff their 
transformations are also equivalent. Hence we can restrict attention to schemes 
that generate locally finite trees, and for these the following holds, as shown by 
Courcelle P|. 

Fact 1 F G iff B{F‘^{xi, . . . ,cc„)) = . . . ,x„)). 

Following Courcelle, the next step is to transform a scheme into a context- 
free grammar which generates its branch language. We exclude the case where 
a scheme generates a single node tree Xi'. it is easy to directly check equivalence 
betweeen such schemes. With this exclusion, we assume that schemes are given 
in “Greibach” normal form. Each term ti in the definition of Fi has the form 
f(rti, . . . where / G F and where each rtj is built from variables and 

defined function symbols only and where the depth of their embedding is at 
most two. This normal form is easy to achieve by introducing auxilary defined 
functions. 

An e-free context-free grammar in 3-Greibach normal form consists of a finite 
set N of nonterminals, a finite alphabet A and a finite family of basic transitions, 
each of the form X — ^ a where A G N, a G A and a G N* such that its length, 
|a| is less than 3. A simple configuration is a sequence of nonterminals whose 
behaviour is determined by the basic transitions and the prefix rule: if X -P- a 
then A/3 — > a(3 where /3 G N*. The language accepted by a simple configuration 
a, L(a), is the set of words {u> G A* : a e}. 

Given a scheme in normal form we associate a grammar with it as follows. 
The alphabet A is the set of split functions fG 1 < j < p{f) for / G F. 
The nonterminals N is the set Fff 1 < j < p{F). Assume in the scheme that 

def 

F{xi, . . . ,Xpi^p'j) = /(rti, . . . , The basic transitions are defined as fol- 
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lows, for each nonterminal and alphabet symbol . 

F* e if rtj = Xi 

F* if rtj = . . . , and rt'^, = Xi 

pi J% Qkjji jf ^ r^p{G)) and 

rt'k = ..., and rt'{ = x^ 

The grammar is defined so that the language accepted by a nonterminal F® is 
the set of words w S A+ such that wxi S F(F‘^(xi, . . . , Xp(^p'^)). For example in 
the case of the second transition rule because G has Xi in its fcth position in the 
definition of F it follows that {f^w : w € F(G^)} C L{F'^). Hence the following 
result holds. 

Fact 2 Fr^G iff for each i, L{F^) = L{G^). 

4 The Decision Procedure 

The disjoint union of two recursion schemes is a single scheme and therefore we 
need only consider a single grammar. The equivalence problem is then to show 
that for each i, L(F^) = L{G'^) for F, G G DF. We assume that the grammar is 
“tidied” as usual by removing redundant nonterminals (those not reachable from 
any F® and G® and those whose language is 0) . In the following we use X, Y and 
Z to range over nonterminals and a, P to range over sequences of nonterminals. 

The decision procedure consists of two semi-decision procedures. One half is 
easy, if T(F®) yf T(G®) then there is a smallest word which distinguishes them. 
The other half is more difficult. We show that F ~ G iff there is a finite tableau 
proof for this. Tableaux have been used for proving decidability of bisimulation 
equivalence mu. They are also implicit in Senizergues’s proof mi where they 
appear as strategies. 

The tableau proof system is goal directed, and consists of two kinds of rules, 
simple and conditional. Simple rules have the form 

Goal ^ 

Subgoalj . . . Subgoal„ 

where Goal is what currently is to be proved and the subgoals are what it reduces 
to, provided the side condition C holds. A conditional rule has the form 

Goali 



Goalfc 

: C 

Goal 



Subgoal 
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where Goal is the current goal to be shown and there is a single subgoal to 
which it reduces provided that the goals Goali,. . .,Goalfe occur above Goal on 
the path between it and the root (starting goal) and provided that the side 
condition C holds. The use of conditional tableau rules is a new innovation, 
which is essentially due to Senizergues. 

There is also the important notion of when a current goal counts as final. 
Final goals are classified as either successful or unsuccessful. A tableau proof for 
a starting Goal is a finite proof tree, whose root is Goal and all of whose leaves 
are successful final goals, and all of whose inner subgoals are the result of an 
application of one of the rules. 

The first tableau proof rule is the initial simple rule, INIT. 

F = G 

= GF..F^ = G^ 

The initial goal F = G, “are schemes F and G equivalent?” reduces to the 
subgoals F* = G\ “is L(F*) = L(G*)?”, for each i. 

The main idea of the tableau proof system is to reduce goals to subgoals by 
following branches down the trees for F and G. F® represents the subtree for F 
all of whose branches end in Xi. The configuration (F* • w) represents the subtree 
for F given by taking path w down the subtree F*: it is therefore the subtree 
whoses branches are {v : wvxi is a branch of the tree for F}. Glearly F ~ G iff 
for all w and i, (F* • w) ~ (G* • w). We show that the subtree (F* • w) is naturally 
described in the grammar. 

Basic transitions of the grammar induced by a scheme are “almost” deter- 
... - ■ /■’ 

ministic. If F* — > e and F* — > a then a = e because Xi is in the jth position 
of / and nothing else is thereby allowed. However if the jth position of / is 

G{rt'i, . . . , then it is possible that F® a and F* fS when a ^ (3. 

However a and (3 are “similar”: if a = G^a' then (3 must have the form G*/3' 
and if ^ = fc then a' and (3' must again be similar (both of the form F* ). The 
grammar is in fact strict deterministic 

Let = be a partition of the nonterminals N of a context-free grammar (in 
normal form). The partition = is extended to sequences of nonterminals, a = (3 
if a = /3 or there is a <5 such that a = SXai and j3 = 5Y j3i and X = Y and 
X f^Y . X partition = on N is strict if the basic transitions obey the following 
two conditions: 

if X — ^ a and Y — ^ 5 and X = Y then a = S 
if X a. and Y — ^ a and X = Y then X = Y 

A context-free grammar is strict deterministic if there exists a strict partition 
of its nonterminals. The partition on the grammar induced by a scheme is given 
by F* = F? for each F and indices i and j. Glearly the two strictness conditions 
holcj. Hence for a, (3 ^ e and ay^/3, a = /3ifa = SF^'a' and (3 = SF^ f3' for 



^ Similarly the context-free grammar induced by a monadic recursion scheme is strict 
deterministic when the partition is given by bFb' = bFb" 
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The strictness conditions generalise to words (replacing a with w G A+ 
throughout). It therefore follows that if X = Y then the languages accepted 
by X and Y are prefix-disjoint and if X Y then they accept disjoint lan- 
guages. That is, if w G L{F'^) and i ^ j then no prefix of w including w belongs 
to L{F^). This is clear from the tree generated by F: if wxi is a branch then 
this excludes vxj as a branch whenever u is a prefix of w. 

A simple configuration of a grammar is a sequence of nonterminals l3. A 
composite configuration is a finite family of simple configurations, j3\ + . . . + Pn- 
The language accepted by a composite configuration is the union of the languages 
acccepted by the components, T(/3i -I- ... -I- Pn) = U For simplicity we also 

assume that the empty sum, 0, is also a configuration. Our main concern is with 
a subset of such configurations: Pi + . . . + Pn is admissible if Pi = Pj for each pair 
of components Pi and Pj. Note that the singleton member e is admissible and so 
is 0. Subtrees of (the tree for) F such as (F* • w) are represented as admissible 
configurations. Let (F* • a) be defined as ■ F’* a is a basic transition} 

which is an admissible configuration because the grammar is strict. T((F* • o)) is 
{w : awxi is a branch in the tree for Fj. If A = XxPx + . . , + XnPn is admissible 
then {A ■ a) is X{«ii/3i : aq} + ••• + ^ 

which is also admissible. The notation is extended to words. (A ■ e) = A and 
{A ■ aw) = {A ■ a) ■ w, where (0 • w) = 0. It is easy to check that for any w, if A 
is admissible then (A ■ w) is also admissible. 

We now return to the tableau construction. We let A, B, C and D range 
over admissible configurations. Goals in the tableau proof system (except for 
the initial goal F = G) have the form A = B. The next tableau proof rule is 
again a simple rule, UNF (unfold). Let A = {oi, . . . , at}- 



A = B 

{A ■ ai) = {B ■ ai) ... (A • Ofc) = (F • a^) 

UNF allows one to walk down the trees for F* and G*. UNF is the strategy Ta 
in Senizuergues’s proof. 

The size of an admissible configuration A = Pi + . . . + Pn, written |A|, is 
the length of its largest sequence, max{|/3j| : 1 < f < n|. A has many different 
“shapes”, as it can be written in many different ways using obvious equalities 
(such as B{C + D) = BC + BD). A basic shape is a head nonterminal form 
XiAi -I- ... -I- XkAk where Xi ^ Xj, i ^ j, and Xi = Xj. In this case the A^s 
are heads and A^s are tails. Another head form is Ai o;„A„ -|- B where 

ai = aj and \ai\ = \aj\ and no Aj = e and \B\ < \ai\. Instead one may focus 
on tail forms. If {Xi ■ w) = Di (where Di may be 0 and for no prefix u of w is 
Xi ■ V = e) then (AiAi XkAk ■ w) = FiAi DkAk- The shape 

DiAi + . . , + DkAk highlights the tails Ai. Because the grammar is in 3-Greibach 
normal form \Di\ < 1 -|- |w| for each i. 

Associated with any nonterminal F* is a smallest word w{Fp such that 
w(F*) G L{Fp, and so (F* • w{Fp) = e. Note that if (F* ■ v) = e and j yf i 
then (F^ ■ v) = %. An important measure is M which is max{|w(A)| : A is a 
nonterminal}. 
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UNF allows one to proceed down the trees for F and G. Any subgoal A = B 
can be thought of as (A* • w) = (G* • w) where w is a prefix of a branch. The 
next step is to permit tree surgery and transplantation to “balance” the subtree 
expressions. We give the tableau rule BAL(L). This is a conditional tableau rule. 
In Senizuergues’s proof this is the strategy Tg. 



XiAi + . . . + XkAk — B 



C 



D\Ai + . . . + Dj^Af; — B' 

Di{B ■ w{Xi)) + . . . + Dk{B ■ w{Xk)) = B' 



where C is the condition: there are exactly M applications of UNF between the 
top goal and bottom goal and no other rule is applied, and each Di ^ e. To 
understand the rule assume that DxAi + . . . + DkAk = B' is the current goal. 
This reduces to the subgoal beneath it provided that the top goal appears above 
it in the proof tree and condition C holds. There is also the symmetric rule 
BAL(R) where the premises are B = . . . and B' = . . ., and the conclusion is 
B' = .... 

Consider the top goal of BAL(L), A = B. Let B have shape j3\Bi + . . . + 
(3nBn+C where \Pi\ = M+1. Because (Xi-w{Xi)) = e it follows that {A-w{Xi)) = 
Ai. Therefore if the top goal is true then L{Ai) = L{B ■ w{Xi)). It is this 
substitution of {B ■ w{Xi)) for Ai for each i in the bottom goal which the rule 
sanctions. Moreover (B-w{Xi)) is {Pi-w{Xi))Bi+. . .+{(3n-w{Xi))Bn+{C-w{Xi)) 
because |w(Ai)| < \ j3j\. Also B' has the shape B'^Bi + . . . + B'„Bn + C (where 
|G'|, \B[\ < 2M+ 1). Putting all this together it means that the subgoal has the 
following form, where some of the A' and i?' may be 0 and Bn+i = e. 



A'lBi + . . . + A'j^Bn + C" Bn+i — B[Bi + . . . + B'j^B„ + C' B^+i 



We think of this subgoal as “balanced” because they have this common tail form, 
and all their heads have bounded size. 

Introducing balanced subgoals is not sufficient for showing decidability. For 
the sizes of the common tails may keep growing. There is one more tableau rule, 
CUT, which allows one to cut the common tails. The exact formulation relies 
on families of auxiliary nonterminals ranged over by V , each of which has an 
associated definition V B. We say that (Vi, . . . , U„) is a family of recursive 

def 

nonterminals if for each i either Vi = AnVi + . . . + AinVn where An + . . . + 

. • • ... . d©f 

is admissible and does not contain auxiliary nonterminals, or Vi = Vj and j < i 

d©f 

and Vj = Vj. An auxiliary nonterminal can only appear as a final element in a 
sequence of nonterminals. Admissibility is extended to such families of sequences. 
A configuration which is a singleton V is admissible and PiV( + ... + fikVl is 
admissible if the head f3i + . . . + f3k is admissible and each Pi is distinct, and 
there is a family of recursive nonterminals (Vi, . . . , Vn) such that each V[ is one 
of the VjS. An admissible configuration can therefore be presented in tail form 
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A = AiVi + . . . + AnVn- The definition of {A ■ w) is refined. If {Ai ■ w) = e and 

def 

Vi = B then (A • w) = B. The language accepted by A is the set of words w 
such that (A ■ w) = Vi where Vi Vi. Two configurations containing auxiliary 
nonterminals are equivalent if they accept the same words and agree on their 
terminating nonterminals. 

The idea of CUT is that a balanced goal 

(1) AiBi + . . . + AnBn = C\Bi + . . . + CnBn 

where the AiS and CiS do not contain recursive nonterminals, can be reduced to 
a subgoal of the form 

(2) AiVi + . . . + AnVn = CiVi + . . . + CnVn 

where (Vi, ... ,Vn) is a family of recursive nonterminals. The mechanism for re- 
ducing goal (1) to goal (2) involves constructing the recursive family (Ui, . . . , V„) 
from a subsidary family of goals, A\Bi + . . . + Al^Bn = C{Bi + . . . + C^Bn where 
i >1, with the same tails as (1). 

We now state an important result which underpins the rule CUT. 

Lemma 1 Assume 0 < m < n. If for all i : 1 < i < m, L{A\Bi -|- . . . -I- 
A\Bn) = L{C\Bi + . . . + C^Bn) then there is a family of recursive nonterminals 
(Ui, . . . , Vn) such that 

1. For each i:l<i<m, L{A\Vi -h . . . -h = L{C{Vi -h . . . -h C;U„), 

2. If Vj = A{Vi -h . . . -h then L{B^) = L{A'^Bi -h . . . -h 

3. If Vi = Vj then L{B,) = L{Bj). 

The recursive family (Ui, . . . , U„) which issues from the proof of Lemma 1 is said 
to be “canonical” for the family A\Bi + . . . + A)^Bn = C\Bi -I- ... -I- C^Bn of true 
goals. The construction of canonical nonterminals is independent of the tails Bi. 



Fact 1 If {V\, ... ,Vn) is canonical for A\Bi + . . . + A\^Bn = C\Bi + .. . + Cf Bn 
then it is also canonical for the family A\Di A\^Dn = C\Di + . . . + CnDn, 

where i : 1 < i < k. 

The proof of Lemma 1 assembles the canonical family in stages. At stage 
j, the family . . . , is constructed from {Vf , . . . , V^). If each Vf~^^ 

has the same definition as Vf then the construction terminates. In fact it must 
terminate by stage j = n — 1. The building of the from the V^-’s appeals 

to a smallest distinguishing word uj+i for L{A') ^ L{C), where A' is A\V( V 
... + A^^V I and C is C\vl -I- . . . -I- for some 1. The depth of a canonical 

family is given by the sum over all stages of the distinguishing words, ^ \uj\- 

We need to consider how to introduce recursive nonterminals when the family 
of goals need not all be true. The idea is to approximate canonicity by defining 
when a recursive family (Ui, . . . , U„) is “canonical to depth d” where d > 0, for a 
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family oi goals A\B^ + ... + A\^Bn = C\Bi + . . , + Cl^Bn. The construction is the 
same as for the proof of Lemma 1, except that we stop at the first stage j > 0 
with {yf , . . . ,V^) as the required family of recursive nonterminals if the sum of 
the distinguishing words Sj = |mi| + . . . + | is no larger than d, and for all w 

such that |ru| < d—Sj, w G L{A\V-i + . . .+Al^Vy iff is m G L{CIV( + . . .+C^Vy, 
for each i. 

The rule CUT, where fc < n, is as follows. 

A\Bi + . . . + A^B„ = C\B\ + . . . + C^Bn 

A>[Bi + . . . + = CfBi + . . . + 

: C 

AiBi + . . . + AnBn = C\Bi + . . . + CnBn 
AiV\ + . . . + AnVn = CiV\ + . . . + CnVn 

where C is the condition that (Ui, . . . , U„) is canonical to depth d for the family 
of goals A\Bi + . . . + Al^Bn = C\Bi + . . . + C^Bn, I < i < k, and there are at 
least d applications of UNF (as well as possibly applications of BAL) between 
A^Bi + . . . + A^Bn = C^Bi + . . . + C^B„ and the final goal in the premises 
AiBi + . . . + AnBn = C\Bi + . . . + CnBn- CUT is essentially the strategy Tq 
in S’enizuergues’s proof (although he uses regular expressions and not recursive 
nonterminals) . 

From Fact 1 it follows that for any other family of goals with different tails Di 
but the same heads A*, (7j the same recursive nonterminal family is introduced. 
It is this feature which guarantees that there is a finite tableau proof for F ^ G. 

We have now seen all the tableau proof rules, INIT, UNF, BAL(L), BAL(R) 
and CUT. There is also the important notion of when a current goal counts 
as final. Final goals are classified as either successful or unsuccessful. A tableau 
proof for the starting goal F = G is a finite proof tree, whose root is F = G 
and all of whose leaves are successful final goals, and all of whose inner subgoals 
are the result of an application of one of the rules. Successful final goals are as 
follows: 

A = B 

: UNF at least once 

A=A A=B 

An identity and a goal which is repeated count as successful. Unsuccessful final 
goals are 



0 = B and L{B) yf 0 A = 0 and L{A) yf 0 Vi = Vj and i yf j 

The tableau rules are sound and complete, which we now explain. First UNF 
is complete in the sense that if the premise is true then so are the subgoals. 
Completeness for BAL is that if the premise goals (those above the subgoal) are 
true then so is the subgoal. The statement of completeness for CUT is that there 
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are correct applications of it. If (Fi, . . . , 14i) is canonical for the first k premises 
then there is a depth d for which it is canonical. Moreover {Vi, ... ,Vn) needs to 
be a recursive family for the true goal + . . . + AnBn = C\Bi + . . . + BnCn, 
in which case the subgoal follows. 

For soundness of the tableau rules consider global soundness of the proof 
system. The overall idea is that if there is a successful tableau whose root is 
false then there is a path through the tableau within which each subgoal is 
false. The idea is refined using approximants. If F* 7^ G* then there is smallest 
distinguishing word w. One can define n-equi valence between F® and G*, if for 
all words w such that |rt;| < n, w does not distinguish between F* and Gb UNF 
obeys the simple soundness property that if the goal is not n+ 1-equivalent then a 
subgoal is not n-equivalent. Therefore if the root is false then there is an offending 
path (of false goals) through the tableau within which the approximant indices 
decrease whenever rule UNF has been applied, and hence this would mean that 
a successful final goal is false (which, as we shall show, is impossible). Soundness 
of the conditional rules is that if the premises are on an offending path then the 
subgoal preserves the falsity index of the goal immediately above it. In the case of 
BAL(R) assume that the offending path passes through the premise goals. There 
is a least n such that for the initial premise B is n-equivalent to X1A1 + . . .+XkAk 
and B is not n -|- 1-equivalent to XiAi XkA^. As there are exactly M 

applications of UNF between the initial and final premise it follows that B' is 
(n — M)-equivalent to DiAi + . . . + DkAj-. However, as this is the offending path 
B' is not (n -I- 1 — M)-equivalent to DiAi D^Ak. A small argument shows 

that B' is not (n -I- 1 — M)-equivalent to Di{B ■ w{Xi)) Dk{B ■ w{Xk)) 

(because Ai is (n — M)-equivalent to {B ■ w{Xi). There is a similar soundness 
argument for CUT. The idea of this style of soundness is essentially due to 
Senizuergues (although he uses the different framework of deduction systems). 

The main result is as follows, and a similar result holds for monadic resursion 
schemes. 

Theorem 1 F ^ G iff there is a finite tableau proof for F = G. 

5 Conclusion 

We have sketched decidability of equivalence for two old schema problems. How- 
ever there are many open questions for further work. First we do not have a 
complexity bound for the decision procedures. Secondly we have only shown 
decidability for first-order recursion schemes. There is a known hierarchy of 
schema problems at higher order m- The branch languages of higher-order 
schemes are deterministic context-sensitive languages, as illustrated by the fol- 
lowing 2nd-order scheme 

d>{G, H){x) =' f{<P{Gg, Hh){x),G{Hx)) 

starting from <d>{g,h){x). And so little is known about deterministic context- 
sensitive languages. 
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Abstract. We present a linear realizability technique for building Par- 
tial Equivalence Relations (PER) categories over Linear Combinatory 
Algebras. These PER categories turn out to be linear categories and to 
form an adjoint model with their co-Kleisli categories. We show that a 
special linear combinatory algebra of partial involutions, arising from 
Geometry of Interaction constructions, gives rise to a fully and faithfully 
complete model for ML polymorphic types of system F. 

Keywords: ML-polymorphic types, linear logic, PER models. Geometry 
of Interaction, full completeness. 



Introduction 

Recently, Game Semantics has been used to define fully-complete models for 
various fragments of Linear Logic ( |A.I94a,IAMD9j ). and to give fully-abstract 
models for many programming languages, including PCF jA,IM96IHOflfi|NicMj . 
richer functional languages |McC96| . and languages with non- functional features 
such as reference types and non-local control constructs |AM97ILai97j . 

All these results are crucially based on the linear analysis of the intuitionistic 
arrow which is possible in the intensional setting of game categories. However, 
the definitions of game and game categories are quite complex, often requiring 
cumbersome quotienting operations. In this paper, we present the technique of 
linear realizability as a simpler and more direct alternative to game constructions 
for addressing full completeness issues. 

The linear realizability technique amounts to constructing a category of Par- 
tial Equivalence Relations (PERs) over a Linear Combinatory Algebra (LCA), 
which turns out to be a linear category, and to form an adjoint model with its co- 
Kleisli category. The notion of Linear Combinatory Algebra introduced by the 
first author ( [Abr97a] l refines the standard notion of Combinatory Algebra, in 
the same way in which intuitionistic linear logic refines intuitionistic logic. The 

* Work partially supported by TMR Linear FMRX-CT98-0170. 



P. Clote and H. Schwichtenberg (Eds.): CSL 2000, LNCS 1862, pp. 140-|1^^ 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 



A Fully Complete PER Model for ML Polymorphic Types 141 



construction of PER models from LCA’s presented in this paper is quite simple 
and clear, and it yields models with extensionality properties, thus avoiding the 
quotienting operations which are often needed in defining game categories and 
models. Moreover, PER categories offer simple natural models for second order 
(polymorphic) A-calculus, i.e. Girard’s System F l [Gir72l L 

Recently, there has been much interest in realizability techniques, and in 
particular in linear realizability, especially in connection with full completeness 
and full abstraction problems. Realizability can be regarded as a powerful tool 
for mediating between intensional and extensional aspects of computation, and 
it has been used for extensionalizing intensional constructions (e.g. in lAMDHi L 
and as a technique for building directly interesting (possibly fully-complete/fully- 
abstract) models. Examples of this latter use of realizability appear in this paper, 
and in isEnni, where a fully-abstract PER model for PCF, alternative to the 
game model of , is provided using the algebra of well-bracketed strategies. 

A categorical model of a type theory (or logic) is said to be fully- complete 
(' |A.T94a,p if, for all types (formulae) A, B, all morphisms / : |A] — >• |R], from the 
interpretation of A into the interpretation of B, are denotations of a proof-term 
of the entailment A \- B, i.e. if the interpretation function from the category 
of syntactical objects to the category of denotations is full. The notion of full- 
completeness is the counterpart of the notion of full abstraction, in the sense 
that, if the term language is executable, then a fully-complete model is (up-to a 
possible quotient) fully-abstract. 

Besides full completeness, one can ask the question whether the theory in- 
duced by a model M coincides precisely with the syntactical theory or whether 
more equations are satisfied in A4. A model A4 is called faithful if it realizes 
exactly the syntactical theory. 

The fully and faithfully complete model for ML-types built in this paper 
is obtained as an instance of the PER construction, by considering the special 
linear combinatory algebra of partial involutions. ML-types are universal clo- 
sures of simple types, i.e. types of the form VAi. . . . A„.T, where T is V-free and 
FV(T) C {Xi, . . . ,Xn\. The algebra of partial involutions arises in the con- 
text of the generalization of Girard’s Geometry of Interaction due to the first 
author r fA.lf)4IAhrf)blAhrD7alAHPMD^ L This is a powerful construction, which 
allows to build many new combinatory algebras, as well as to recover previously 
known models by viewing them in an alternative perspective. The algebra of 
partial involutions is a highly constrained algebra, in which all computations are 
reversible. Partial involutions are reminiscent of the copy-cat strategies of game 
categories, in that all the combinators mediate the required interactions between 
the arguments simply by copying information between input and output ports. 

The proof of full completeness consists in showing that this model satisfies 
the axioms in the axiomatization of fully-complete models for ML-types given 
in This axiomatization is given on the models of system F which are 

called hyperdoctrines (jMBI). In particular, it works in the context of adjoint 
models. It consists of two main steps. The first is an axiomatization of the fact 
that every morphism / : 1 — >■ |T], where T is an ML-type generates, under 
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decomposition, a possibly infinite typed Bohm tree. Then, an axiom which rules 
out infinite trees from the model is introduced. 

Proving that the model of partial involutions considered in this paper does 
not contain infinite typed Bohm trees is quite difficult, and it requires the study 
of an intermediate model. This is the model generated by the Sierpinski PER 
and it consists of all (possibly infinite) Bohm trees of the typed A-calculus, with 
constants T, T. A crucial step in our proof consists in proving that, in the simply 
typed A-calculus with typical ambiguity and T-constants, “totality tests” are A- 
definable by finite typed trees. These totality tests allow us to tell apart normal 
forms in which T appears, from those in which T does not appear. A further 
ingredient is an Approximation Lemma, along the lines of 

The full completeness result obtained in this paper is interesting, since, until 
now, the research on full completeness for System F has produced fully-complete 
denotational models only for a small subclass of ML-types, i.e. the algebraic 
types (see [HBBQOj l. In the literature, there are two fully-complete models for 
the whole system F: i.e. that of pRCRRj . and that of EH- The first model 
is based on a quotient of a term model, the latter is a game model. But both 
these models still have a somewhat syntactical flavor, and their constructions 
are extremely complex. The model in this paper can be viewed as the first 
denotational model which is fully-complete for the whole class of ML-types. 

In Section d we recall the syntax of ML types of system F, and we present 
two results on the simply typed A-calculus with a theory satisfying Typical Am- 
biguity. The first is due to Statman, the latter is a new Typed Separability result. 
In Section d we recall the notion of 2Ax-hyperdoctrine and the notion of ad- 
joint hyperdoctrine introduced in EM, and we formalize the definition of 
fully-complete hyperdoctrine. In Section d we present the linear realizability 
technique, for building PER categories over LCAs. In Section d the LCA of 
partial involutions is described. In Sectional the proof of full completeness for 
the PER model over the LCA of partial involutions is sketched. Final remarks 
and directions for future work appear in Section 0 

The authors are thankful to F.Honsell, R. Jagadeesan, J. Laird, J.Longley, 
S. Martini, G.Plotkin, A. Simpson for useful discussions on some of the issues of 
the paper. 

1 ML Polymorphism 

First, we recall the syntax of the class of ML-types of system F. Then, we present 
two important results on the simply typed A-calculus with a theory satisfying 
Typical Ambiguity. A theory is said to satisfy Typical Ambiguity if two terms 
are equated if and only if they are equated for all possible substitutions of type 
variables. The first result that we present is Statman’s Typical Ambiguity Theo- 
rem, which asserts that there is exactly one consistent theory satisfying Typical 
Ambiguity on the simply typed A-calculus with infinitely many type variables: 
this is the /Jry-theory. An immediate consequence of this result is that the only 
consistent theory on the fragment of system F consisting of ML-types is precisely 
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the /3?7-theory. The second result concerns the definability of “convergence tests” 
in the simply typed A-calculus with infinitely many type variables, _L-constants, 
and satisfying Typical Ambiguity. In particular, we prove that, for any given 
type, there are convergence test terms, which detect the presence of T-constants 
in a term of that type. This implies immediately that, in a theory of Typical 
Ambiguity over the simply typed A-calculus with infinite type variables and T- 
constants, a term containing T in its normal form can never be equated to a 
term in whose normal form T does not appear. This result is used in the proof 
of full completeness of the model of PERs over the LCA of partial involutions. 
We assume that the reader is familiar with System F (see e.g. tKum ). 

The class of ML-polymorphic types of system F corresponds to the limited 
kind of polymorphism allowed in the language ML. 

Definition 1 (ML-types). The class ML-Type of ML-types is defined by: 
ML-Type = {VX.T | T S SimType A FV{T) C X} , 
where SimType is the class 0 / simple types of system F, i.e. simple types over 
an infinite set of type variables, and X stands for X \, . . . , for n > 0. 

Terms of ML-types have essentially the same “combinatorics” as the typically 
ambiguous terms of the simply typed A-calculus. In fact, any theory on ML-terms 
induces a theory satisfying Typical Ambiguity. 

The following is a result about simply typed A-calculus with infinitely many 
type variables A°°, first proved in |Sta,88) . 

Theorem 1 (Statman’s Typical Ambiguity). Let T be a type of X°° s.t. 
FV (T) C {Ai, . . . , Xn}. If\/M N : T, then, there exist types Si, , Sn, 
and Y G TVar, and a term L s.t. \- L[S/X] : T[S/X] — >■ Booty, where Booty = 
Y ^Y, s.t. 

h {LM)[S / X] =j 3 n true : Booty A h {LN)[S/X] = 0^1 false : Booty , 
where true = \x : Y.y : Y.x and false = Xx : Y.y : Y.y. 

Corollary 1. i) The maximal consistent theory satisfying Typical Ambiguity on 
the simply typed X-calculus with infinitely many type variables is the fip-theory. 
a) The maximal consistent theory on the fragment of system F consisting of 
ML-types is the (dp-theory. 

As it will be clear in the following section from the definition of full com- 
pleteness, by Corollary Eli), any non-trivial fully-complete model for ML-types of 
system F is necessarily faithful, i.e. it realizes exactly the /Jry-theory at ML-types. 

Now we show that “convergence tests” are A-definable in the simply typed 
A-calculus with infinitely many type variables and T-constants for any type 
variable, and a theory satisfying Typical Ambiguity, which we call A“. 

Definition 2 (Typed Convergence Tests). Let T = Ti ^ ... ^ T„ ^ 

Afc GSimType, let l be a distinguished type variable, and let ay = T[i — >■ LjX\. 
We define, by induction on T, the convergence test term h Sa^ '. ay as follows: 
if T = X, then , otherwise, 

let T = T\ — y . . . — y Tji — y Xj^, where T^ = Un — y . . . — y Uiq^ — y Xi, then 
So(T Axi . oiy.^ . . . Xyi . ey.y„ .Xz . l. ( xiSau^^ . . . ) (. . . (xyiSq,^^^ . . . z)) . 
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The “convergence test” terms defined above give us a procedure for deciding 
whether a normal form of contains a divergent subterm. Namely, let M 
be a normal form of of type Ti —i T„ —>■ Xk ■ We first instantiate 

all the free variables in M by r — >■ then we apply M to the sequence of 
convergence tests , ■ • • , ■ The effect of this is that, in the head reduction 

of MSctT ^ ) ■ • ■ ) ; each subterm of M definitely appears in head position, and 

it reduces to the identity, until a T is detected. 

For a term y : U \~ M : T, we denote by y : cxu h ■ o-t (or simply by 
) the term of type ar obtained from y : U \- M : T hy instantiating all the 
type variables free in T by t > r. 



Theorem 2 (Typed Separability). LetT = Ti ^ ^ Tn ^ Xk GSimType, 

and let \- M : T be a term of A“ . Then 

if the normal form of M is T-free 
Xx \ L. 1- otherwise . 



A/q. S(^ rp 



■ ■ • ^aT„ 



TheoremElabove can be regarded as a typed Bohm- like Separability Theorem, 
in the sense that, if we think of T as a generic unsolvable term, then Theorem 0 
allows us to tell apart normal forms from unsolvable terms. 



Corollary 2. In any theory satisfying Typical Ambiguity on , a term in 
whose normal form T appears cannot be equated to a term, in whose normal 
form T does not appear. 



2 Models of System F 

We recall first the notion of 2Ax-hyperdoctrine (see ICrofidl l. This essentially 
corresponds to the notion of external model (see IAL91I 1. Then, we give the for- 
mal definition of fully (and faithfully) complete hyperdoctrine model. Finally, we 
define the categorical notion of adjoint hyperdoctrine, on which the axiomatiza- 
tion of full completeness at ML-types of is given. Adjoint hyperdoctrines 

arise as co-Kleisli indexed categories of linear indexed categories. 

In what follows, we assume that all indexed categories which we consider are 
strict (see e.g. |AL91ICro93j for more details). 

Definition 3 (2Ax-hyperdoctrine). A 2 Ax-hyperdoctrine is a triple {C,G,\/), 
where: 

— C is the base category, it has with finite products, and it consists of a distin- 
guished object lA which generates all other objects using the product operation 
X . We will denote by W™, for m> 0, the objects of C. 

— G : — >■ CCCat is a C -indexed cartesian closed category, where CCCat is 

the category of cartesian closed categories and strict cartesian closed func- 
tors, such that: for all , the collection of objects of the cartesian closed 
fibre category G{U^) is indexed by the morphisms from to lA in C, i.e. 
the objects of G{IA'^) are the morphisms in Homc(lA^,lA), and, for any 
f : lA™" — >■ W" in C°^, the cartesian closed functor G{f) : GfJ'^) — ?► G{IA^), 
called reindexing functor and denoted by /*, is s.t, for any object h : lA^ — 
U, f*{h) = f-h; 
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— For each object ofC, there are functors Vm : G{U'^ x W) — )■ G(W™) s.t. 

• Vm is right adjoint to the functor : G{U”^) G{W^ x U), where 
TTm ■ U™ xU ^ is the projection in C; 

• Vm satisfies the Beck-Chevalley condition. 

Any 2Ax-hyperdoctrine can be endowed with a notion of interpretation | ] 
for the language of system F. 

Types with free variables in Xi, . . . ,Xm are interpreted by objects of G(G’”), 
i.e. by morphisms from to U in C: |Ai, . . . , Xm b Tj : — ?> U . 

Well-typed terms, i.e. Ai, . . . , x\ : Ti, . . . , h M : T, are interpreted 

by morphisms in the category G(G'"): 

|Ai, . . . , A,„;xi : Ti, . . . T„ h M:T1 : [A h Tilx. . .x|A h T„H |A h T] . 

Definition 4 (Full (and Faithful) Completeness). Let M. = (C, G, V, | ]) 

he a 2Xx -hyperdoctrine. M is fully and faithfully complete w.r.t. the class of 
closed types T if, for all T € T, 

\/f G TJ). 3{\)Pr]-normal form M. \- M : T A / =|1-M:T]. 

In the following definition, we capture those 2Ax-hyperdoctrines which arise 
from a co-Kleisli construction over an indexed linear category, and on which the 
axiomatization of fully-complete models for ML-types given in IaT^ is based. 

Definition 5 (Adjoint Hyperdoctrine). 

An adjoint hyperdoctrine is a quadruple (C, L, G, V), where: 

— C is the base category, it has finite products, which consists of a distinguished 
object U which generates all other objects using the product operation x . We 
will denote by , for m > 0, the objects of C. 

— L : C°P — >■ LCat is a C-indexed linear category, where LCat is the category of 
linear categories and strict monoidal closed functors preserving the comonad 
structure, s.t.: for all G™, the underlying collection of objects of the linear 
fibre category L{U^) is indexed by the morphisms from U™ to U in C. 

— G : C°P — >■ CCCat is the C-indexed co-Kleisli category of L, which we assume 
to be cartesian closed. 

— For each object U™" ofC, there are functors Vm : G{U'^ xU) G{IA™‘) s.t. 

• Vm : G(U"^ X G) — >■ G{W^) is right adjoint to the functor GiiTm) ' 
G{U^) — ?> G{U™‘ X U), where tt^ : G"* x G — ?> G™ is the projection in C; 

• Vm : G{IA'^ xU) ^ GiU^) satisfies the Beck-Chevalley condition. 

3 Models of PERs over a Linear Combinatory Algebra 

Canonical examples of 2Ax-hyperdoctrines arise from considering the Partial 
Equivalence Relation (PER) category over a combinatory algebra (see 
Chapter 5, Section 5.5 for more details). In this section, we show how to build 
a PER category from a linear combinatory algebra (LCA). This category turns 
out to form an adjoint model with its co-kleisli category, and it gives rise to an 
adjoint hyperdoctrine. 

We start by recalling the definition of linear combinatory algebra I jAbrflTa] . 
>AHPS98p : 
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Definition 6 (Linear Combinatory Algebra). A linear combinatory algebra 
A — (A,*,!) is an applicative structure (A,*) with a unary (injective) operation 
!, and distinguished elements (comhinators) B,C, Ij K,W, D,S, F satisfying the 
following equations: 



Equation 

Ix = X 

Bxyz = x{yz) 
Cxyz = {xz)y 
Kxly = X 
Wxly = xlyly 
Dlx = X 
5 \x =!!a: 

F^.x\y =!(xy) 



Principal type 

a—oa 

(a— 0/3) —0(7— oa) —07—0/3 
(a— 0/3— 07) —0/3— oa— 07 
a— o!/ 3 — oa 

(!a— o!a— 0/3)— o!a— 0/3 
!a— oa 
!a— o!!a 

!(a— 0/3)— o!a— o !/3 



Logical rule 

Identity 

Cut 

Exchange 

Weakening 

Contraction 

Dereliction 

Comultiplication 

Closed Functoriality . 



LCA’s correspond to Hilbert style axiomatization of — o, ! fragment of Linear 
Logic. Given an LCA A = (A,*,!), we can form a standard CA As = (A, *s) 
by the “combinatory version” of Girard’s translation of Intuitionistic Logic into 
Linear Logic. We define: a /3 = a *!/3 (standard combinators can be defined in 
terms of the linear ones, see lAHPMhsI for details). 

We recall that a BCI-algehra is an applicative structure (A,*) with B,C,I 
combinators. In the next definition, we define a PER category over a BCI- 
algebra, which turns out to be symmetric monoidal closed. 



Definition 7. Let A = (A, •) be a BCI-algebra. We define the category PERy\ 
as follows. 

Objects.' PERs TZC A x A, i.e. symmetric and transitive relations. 

Morphisms.' a morphism f from TZ to S is an equivalence class of the PER 
TZ —o S, where the PER TZ —o S is defined by 

a{TZ — o iS )/3 iff V7 7 ?. 7^ a • 7 5 /3 • 7^ . 



On BCI-algebras, standard pairing gives rise to a tensor product, but the 
definition of tensor product requires some care: 

Lemma 1. Let A = (A,*) be a BCL-algebra. Let P be the pairing combinator, 
i.e. (using X-notation) P = Xxyz.zxy. Then, for all PERs TZ,S, let TZ S be 
the PER defined as the transitive closure of the following relation: 

TZ ®' S= {(Pa/ 3 , Pa'/ 3 ') | a P a' A (3 S ( 5 '} . 



Notice in particular that, if the BCI-algebra is affine, i.e. it is a BCK-algebra, 
then the relation 72 . O' 5 is already transitive, since, using projections, we get: 
Pa /3 = Pa'fi' => a = a' A (3 = ( 3 ' . 

Proposition 1. Let A = (A, •) be a BCL-algebra. Then PER^x is a symmetric 
monoidal closed category. 

Now we show how an LCA gives rise to a linear category. 
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Proposition 2. Let A = (A,*,!) be an LCA. Let ! : PER_a PERy\ be the 
functor defined by 

yn. nz= {(!a, \fd)\an /?}, V/ :7^l^7^2 . // = [F\f] . 

Then {!, D, 6, 4’-: 4>') is a symmetric monoidal comonad, where 

— 4ni,Ti2 ■ ® 112 ) is defined by 4>ni,K2 = [Xu.FlP{uF)]; 

— 4' -.1 ~ !L is [S]j^fj. 

The following isomorphisms hold immediately in PER categories over LCA’s: 

Lemma 2. Let A = {A, •, !) be an LCA. Then, for all PERs TZ, S, 

1. (Idempotency of !) [D] : //7?.~ !TZ : [5]; 

2. (Uniformity of Threads) '0 : / 72. — 0 / / 72 — o 5 : (-)^ , where 4 = 

[Aa:.a;;77]; or equivalently: Va £ /72 —o!S, (a; [77])^ = a; 

3. (Commutativity of p| w.r.t. !) 72~!(P|x ^)- 

The second isomorphism in LemmaO above is relevant for full completeness. 
In fact, this isomorphism amounts exactly to the Uniformity of Threads Axiom in 
the axiomatization of full completeness of |AI;lffla,| . The isomorphisms of Lemma 
0 above highlight the fact that the PER category is a “degenerate” model of 
linear logic. 

Theorem 3. Let A = (A,*,!) be an LCA. Then 

— The category PER^ is linear. 

— The co-Kleisli category {PERjf)\, induced by the comonad ! on the category 
PERj^, is cartesian closed. 

— The categories PER^x and {PERj\)\ form an adjoint model. 

— The category {PERj\)\ is isomorphic to the category PER^^, where PERj\^^ is 
the category obtained by standard realizability from the standard combinatory 
algebra As. 

Finally, we show how to build an adjoint hyperdoctrine from an LCA: 

Theorem 4 (PER Adjoint Hyperdoctrine). Let A = (A,*,!) be an LCA. 
Then A gives rise to an adjoint hyperdoctrine (C, L, G, V), by defining: 

C : Let U be the set {72 | 72 zs a PER on A}. The objects of C, 77", for n > 0, 
are the finite products in Set of n copies of the set lA, in particular lA^ is the 
terminal object in Set. A morphism in C, f : lA'^ — >■ 77"*, is a set-theoretic 
function from lA^ to lA'^ . 

L : The morphisms in the fibre category L{W^) from hi : lA^ lA to h 2 : 
77”* — >■ 77 are the equivalence classes of the PER 0 / 12 X). For 

any object f : lA'^ lA in L{IA'^), we define !/ to be \X .\{fX). For any 
morphism f : lA"' — >■ 77" in C, we define the behavior of the functor L{f) : 
LilA'^) — >■ LilA'^) on morphisms by: for any morphism H : h\ ^ h 2 in L{IA^), 
H = AX.H' G (\x{hiX^h 2 X), let L{f){H) : L{f){hi) ^ X(/)(/z 2 ) he 
AX.H' o f{X) G ^^{L{f){hi)X-oL{f){h 2 )X). 

V : The functor Vm : L{IA^ x lA) ^ L{IA'^) is defined as follows. For any h : 
77”* xlA ^ lA, Vm(h) = AX.p|j|^7i(A). For any morphism H : hi ^ h 2 in 
L{U^ X 77), V™(77) = H. 
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4 Partial Involutions Affine Combinatory Algebra 

Many examples of LCAs arise from the categorical version of Girard’s Geometry 
of Interaction (Gol) construction, based on traced symmetric monoidal cate- 
gories (EEnzMEEnraMi). A basic example of Gol LGA, introduced in 
EEznza, can be defined on the space [N ^ N] of partial functions from nat- 
ural numbers into natural numbers, by applying the Gol construction to the 
the traced category Pfn of sets and partial functions. Here we briefly recall 
the definition of this LGA, without discussing the categorical framework (see 
IAhrl)7alAhrl)filAHPMfiSl for more details) . The LGA of partial involutions, which 
will be shown to provide a fully-complete model for ML-types (see Section El), 
arises as subalgebra of this. 

Let us consider the space [N ^ N] of partial functions from natural numbers 
to natural numbers. For any a G [N ^ N] injective, we denote by a~^ the inverse 
of a. Now we show how we can endow the space [N ^ N] with a structure of 
LGA. Actually, the algebra which we obtain is affine, i.e. it has a full if-combi- 
nator. We start by fixing two injective coding functions t and p: 
t:N + N-^N , p:NxN^N. 

The first is used in order to define application, and it allows to transform an 
on e-input /one-output function into a two-input /two-output function. The latter 
is used for creating infinitely many copies of an one-input /one-output function 
a, i.e. for defining \a. 

We now explain how application is computed geometrically, using the lan- 
guage of “boxes and wires” which arises in the general setting of traced sym- 
metric monoidal categories (see j,TSV96j for an abstract treatment). 

Let us represent an one-input/one-output function a € [N ^ N] by the 
following one-input-port/one-output-port box (see Fig.D](i) below). 

In order to define the application a*/3, for a,f3G [N ^ N], we regard a as a 
two-input/two-output function via the coding t. In particular, t; a; t~^ : N-l-N ^ 
N -|- N can be described as a matrix of 4 one-input/one-output functions, where 
each entry : N ^ N, = iuif; a;t~^;inj^ accounts for the contribution 
from the i-th input wire into the j-th output wire (see Fig. dii)). 





(ii) 



0?21 

022 




Fig. 1. Geometrical description of linear application. 
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The result of the application a • /3 is the following on e-input /one-output 
function (see Fig. IHiii)): 

Of • /3 = 022 U 02i; (/3; oii)*; /?; 012 , 

where U denotes union of graph relations, and (/3; an)* denotes Un>o('®> crii)"- 

The above formula for computing the application is essentially the Execution 
Formula from Girard’s Geometry of Interaction (usHa). 

The definition of the !-operation on our applicative structure is quite simple. 
The operation ! is intended to produce, from a single copy of a, infinitely many 
copies of a. These are obtained by simply tagging each of these copies with a 
natural number, i.e. we define: 

!a = p~^; (idjsj x a);p . 

Finally, we are left to show that (affine) combinators can be defined on the 
structure ([N ^ N],*, !). The formal (algebraic) definition of the combinators 
is the following: 

Definition 8 (Combinators). For X G {I, B, C, K, W, D, S, F}, let 

where: 

I : — sj = t. 

- fj: N+N^N+N is defined hy: 

Vn. /j(r, n) = (l,n) A Vn. fj{l,n) = (r, n). 

B : — s^ : {{{N + N) + {N + N)) + + N ^ N is defined by 

s^ = ((t -h t) -h id]\j) + id]\j-; (t -I- idj\fi) + idj\f, t + idj^; t . 

- fB : {{{N+N) + {N+N))+N)+N ^ {{{N+N)+{N+N))+N)+N is the 
function defined by the following equations together with their symmetric 
cloSUTG ‘ 

• Vn. fB(r,n) = {I, {I, {I, (r,n)))) 

• Vn. f^{l, (/, (/, {I, n)))) = (I, (I, (r, (r, n)))) 

• Vn. /^(;, (/, (r, (/,n)))) = (Z,(r,n)). 

C : - S(j: ((N+ N) + {{N+ dST) + N)) + N ^ N is defined by 

S(j = {t + {t + idjx)) + idjXt (t + t) + id]\j-; t + idj\f, t . 

- f(j: {{N+N) + {{N+N)+N))+N ^ {{N+N)+{{N+N)+N))+N is the 
function defined by the following equations together with their symmetric 
closure: 

• Vn. f(j{r, n) = {I, (r, (r, n))) 

• Vn. f(j{l,{r,{l,{r,n)))) = {I, {I, (r,n))) 

• Vn. f(^{l, {r, {l, {l,n)))) = (/,(/, (Z, n))) . 

K : — sj^ : {N + N) + N ^ N is defined by sj^ = t + idj\p; t . 

- fj^ : {N + N) + N (TV -|- N) + N is the function defined by: 

Vn. fK(r,n) = {l,{r,n)) A Vn. /|f(^,(r,n)) = (r,n). 

W : In order to define W, we need first to fix i,jGN such that i j. Then 

- s^r-{{NxN) + {{N+N) + N)) + N^ N is defined by 
s\Y= {p+ {t + ’id]\f)) + idjq\ {idjq+ t) + idjq\ t + idj\f; t . 

- f^r:{{NxN) + {{N+N) + N)) + N^ {{N x N) + {{N+ N) + N)) + 
N is the function defined by the following equations together with their 
symmetric closure: 
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• Vn. /|^(r,n) = {I, {r, {r,n))) 

• Vn. (r, {I, (r, n)))) = (^, {I, (i, n))) 

• Vn. = {l,{l,{j,n))). 

D : In order to define D, we need to fix i € N. Then 

— sjj : {N X N) + N ^ N is defined by sjj = p + idj\f, t . 

— fj^ : {N X N) + N ^ {N x N) + N is the function defined by: 

'^n. fj){r,n) = {l,{i,n)) A ^n. (i,n)) = {r,n) . 

S : In order to define 5, we need to fix i,j € N. Then 

— ss '■ {N X (TV X N)) + N ^ N is defined by 
ss = {id]\f X p) + id]\f; p + idj<^; t . 

— fs : {N X {N X N)) + N ^ {N x {N x N)) + N is the function defined 
by: 

Wn. fs{r,n) = {l,{i,{j,n))) A Vn. /a(Z, (i, (j,n))) = (r, n). 

F : In order to define F, we need to fix i,j € N. Then 

— sp : {{N X N) + N X {N+T^) + N^Nis defined by 
sp= {p+ {id]\f xt)) + idjq\ {idjq + p) + idjq\ t . 

— fp: {{NxN) + Nx{N+N)) + N^ {{NxN) + Nx{N+N)) + N is the 
function defined by the following equations together with their symmetric 
closure: 

• Vn. fp{r, n) = {I, (r, (i, (r, n)))) 

• Vn. fp{l, (r, (i, {l,n)))) = (/, {I, (j, n))) . 

There is a simple, intuitive, geometrical explanation of these combinators, 
which makes use of the language of boxes and wires. For example, let us consider 
the identity combinator I. Since I has to satisfy the equation Ix = x, in order 
to define 7, it is convenient to regard I as a, two-input /two-output function, 
up-to-coding. The Identity combinator just copies informations from the left- 
hand input-wire to the right-hand output-wire, and vice versa from the right- 
hand input-wire to the left-hand output-wire (see Fig. El^i)). The fact that I 
satisfies the identity equation has a simple geometrical explanation. Let us apply 
7 to a partial function x (see Fig. |2Kii))- Now yank the string connecting the 
input and the output wires of the result of the application, forgetting about 
the box corresponding to 7. This gives us immediately the expected result (see 
Fig. |2Kiii)). Our argument is based on the Yanking Property of the trace on 
the symmetric monoidal category Pfn underlying our combinatory algebra. In 
particular. Yanking is one of the axioms characterizing the trace operation in 
the setting of traced symmetric monoidal categories. 

Let us now consider the combinator B which satisfies the equation Bxyz = 
x{yz). Concretely, the box for B has two input (and two output) wires for x 
and two input (and two output) wires for y, since both x and y are applied 
to an argument, one input (and one output) wire for z, which appears only as 
argument, plus one extra input (and one output) wire, along which the input- 
token (output-token) is intended to enter (exit). The connections of the wires 
inside the box for B are determined by the control flow between x,y,z in the 
right-hand part of the equation. First of all, the control flow passes from the 
input port of B to the input port of x. The second port of x is then connected 
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Fig. 2. Geometrical description of I. 

to the input port of y, while the second port of y is connected to the unique 
port of z. The remaining connections are then obtained by symmetry (see Fig. 
m))- Using the Yanking Property, one can then check that the result of the 
application of B to x,y, z is the expected one. 



y X 



B 




K 




Fig. 3. Geometrical representations of B, K. 



Now we briefly discuss the remaining combinators. The combinator C can be 
explained in a similar way as B. The affine combinator K simply forgets about 
its second argument y (see Fig.0(ii)). 

In order to define W, we need to fix two different indices i,j € N, tagging 
the copies of y which are used as arguments by x. The remaining copies of y are 
ignored: 

\y X 
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The behavior of D, S, F can be explained similarly (see [IAL99aj ) . 

Essentially, all the combinators of Definition 0 are functions that mediate 
the required interactions between the arguments simply by copying information 
between the various ports. 

There are many possible conditions that can be imposed on partial functions 
in order to cut down the space [N ^ N] , still maintaining closure under the ap- 
plication, !, and all the affine combinators. The subalgebra which gives rise to the 
fully-complete model of Section 0 is obtained by considering partial involutions: 

Definition 9. Let f : N N. f is a partial involution iff its graph is a sym- 
metric relation. Let us denote by [iV ^inv N\ the space of partial involutions 
from N to N. 

One can check that partial involutions are closed under the application, the 
!-operation, and all the combinators of Definition El i.e.: 

Proposition 3. Alpinv = ([iV-i 

nv iV],., !) is an affine combinatory algebra. 

„4pinv is a highly constrained algebra, in which all computations are reversible. 
Partial involutions are reminiscent of the copy-cat strategies of game categories, 
in that the only computational effect that they have is that of copying informa- 
tions from input to output wires. 



5 A Fully Complete PER Model 

In this section, we sketch the proof that the PER category over the LCA Ap\m 
of Section 0 satisfies the Axioms of |AI;99a,j . and hence it gives rise to a fully 
and faithfully complete PER model for ML-types. 

The axiomatization of fxi:^ consists of two main steps. The first is an 
axiomatization of the fact that every morphism / : 1 — )> |T], where T is an ML- 
type generates, under decomposition, a possibly infinite typed Rohm tree. The 
second step consists of an axiom which rules out infinite trees from the model 
is introduced. We start by discussing briefly the axioms for the decomposition. 
First of all, notice that the axiom which expresses the fact that the type MX.Xk is 
empty, and the Uniformity of Threads Axiom hold immediately on PER models. 
In fact, for the first axiom to hold, we need only to verify that the PER f^^Xk is 
the empty PER. This follows immediately, by instantiating X^ with the empty 
PER. The Uniformity of Threads Axiom follows from the isomorphism Hx- ^ 
— ~ Hx- ^ which is an immediate consequence of LemmaElof Section 
01 The proof of the validity of the remaining axioms for the Decomposition 
Theorem is based essentially on the nature of partial involutions, and it requires 
a careful analysis of their applicative behavior. The details of the lengthy proof 
appear in [IAI;99aj . The most difficult part of the proof of full completeness for 
the model PER^pj^^ consists in proving the Finiteness Axiom, i.e. in ruling out 
infinite typed trees. In particular, we prove that the trees generated by elements 
of PERs which are denotations of ML-types, via repeated applications of the 
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Decomposition Theorem, have finite height. In order to prove this finiteness 
result, we need to study an intermediate model, which contains also approximant 
terms of possibly infinite trees. This intermediate model consists of the hierarchy 
of simple PERs over the Sierpinski PER. This hierarchy gives rise to a model for 
the simply typed calculus with T,T constants at the base type. First of all, we 
prove an Approximation Lemma (along the lines of [A.I MhBj l. which says that the 
graph of every partial involution / in a closed polymorphic PER can be viewed as 
the union of all its approximants. The approximants of / correspond, essentially, 
to the finite trees obtained by truncating at level k the tree generated from / by 
applying the Decomposition Theorem. Then, reasoning by contradiction, using 
the Typed Separability result of Section QJ and the fact that T does not live in 
closed polymorphic PERs, we conclude that only trees with finite height belong 
to such PERs. The details of the proof appear in 



6 Final Remarks and Directions for Future Work 



We conclude this paper with a list of remarks and interesting issues which still 
remain to be addressed (some of them are currently under investigation) . 

• In this paper, we have presented a fully-complete model for ML- types. A nat- 
ural question arises: what happens beyond ML-types. Here is a partial answer. 
Already at the type Nat — >■ Nat, where Nat is the type of Church’s numerals, 
i.e. WX.{X — >■ X) — A — >■ A, the PER model of partial involutions is not fully- 
complete. In fact, not only all recursive functions, but even all functions from 
natural numbers to natural numbers, can be encoded in the type Nat — >■ Nat. A 
similar problem arises even if we consider the term combinatory algebra. PER 
models as they are defined in this paper, do not seem to give full-completeness 
beyond ML-types. An innovative construction is called for here. 

• Another question which arises naturally is whether the PER model over the 
linear term combinatory algebra is fully-complete at ML-types. We conjecture 
that this is the case, but a proof of this fact seems difficult. A logical relation 
technique relating the term algebra and the term subalgebra of partial involu- 
tions could be useful here. The interest of linear term algebras lies in the fact 
that the PER model generated by these is essentially the PER model shown to 
be fully-complete at algebraic types in IHRRflOI . 

• We have presented a linear realizability technique for building PER categories 
over an LCA. These PER categories turn out to be linear categories. It would 
be interesting to carry on the investigation of the general properties of these 
categories, e.g. define coproducts, products, etc.. 

• Models of partial involutions are worthwhile investigating also for typed/unty- 
ped A-calculi different from system F. E.g. strategies in the |A.TM9B) style, which 
are represented by partial involutions from Opponent moves to Player moves, 
should provide fully-complete models for simply typed A-calculus with T, T-base 
constants. In the untyped setting, partial involutions strategies could possibly 
provide fully-abstract models, alternative to those in [IDFH99IKN09fl] . 

• In the category PERpinv, models of typed Bohm trees naturally arise (e.g. the 
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model induced by the Sierpinski PER). These are in particular models of the 
simply typed A-calculus together with a fixed point combinator, as suggested by 
Alex Simpson. All these “infinite” calculi seem interesting by themselves, but 
have not yet been property investigated. 
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Subtyping with Power Types* 
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Abstract. This paper introduces a typed A-calculus called Xpower, a 
predicative reformulation of part of Cardelli’s power type system. Power 
types integrate subtyping into the typing judgement, allowing bounded 
abstraction and bounded quantification over both types and terms. This 
gives a powerful and concise system of dependent types, but leads to 
difficulty in the meta-theory and semantics which has impeded the ap- 
plication of power types so far. Basic properties of Xpower are proved here, 
and it is given a model definition using a form of applicative structures. A 
particular novelty is the auxiliary system for rough typing, which assigns 
simple types to terms in Xpower- These “rough” types are used to prove 
strong normalization of the calculus and to structure models, allowing a 
novel form of containment semantics without a universal domain. 

Keywords: type theory, subtyping, dependent types. 



1 Introducing Power Types 

Power types were introduced in a seminal paper by Cardelli The notion is 
that Power (A) is a type “whose elements are all of the subtypes of the type A,” 

A type 

Power (A) type 

In place of a separate definition of subtyping, a relation between types is induced 
by inhabitation of power types, so A < B A : Power{B). The rules for 

power types are chosen to make this definition sensible. Cardelli called the three 
basic rules power introduction, elimination and subtyping: 

A type M : A A : Power (B) A : Power (B) 

A : Power{A) M : B Power{A) : Power {Power (B)) 

The first rule makes the induced subtyping relation reflexive. The second rule is 
the characteristic subtyping rule of subsumption, which adds subtype polymor- 
phism to the system. The third rule expresses monotonicity of the Power opera- 
tor, and together with the second rule, it makes the induced subtyping relation 
transitive. Other rules capture the subtyping behaviour of type constructors. 

* Summary version. The full version Q is available from my web page, address above. 



P. Clote and H. Schwichtenberg (Eds.): CSL 2000, LNCS 1862, pp. 156-|173 2000. 
(c) Springer- Verlag Berlin Heidelberg 2000 
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Cardelli meant his type system to be used for programming languages with 
object-oriented features. Power types can encode bounded type abstraction and 
quantification used in OOP with the usual A-abstraction and dependent func- 
tion space, defining Aa < A.M =def Xa: Power (A) . M and Va < A.B =jef 
n a: Power (A) . B . This is a simplification, since there is no need to add new 
constructs. (The work described here grew from a slightly different application: 
in ASL-b P, subtyping models specification refinement, and AX < SP.M is 
a parameterised specification which can be applied to any refinement of SP.) 
Unfortunately, Cardelli’s full power type system is tricky to handle: it has im- 
predicative polymorphism via the Type : Type axiom along with other features, 
rendering it undecidable, inconsistent when viewed as a logic, and difficult to 
give a semantics to. Later work on Quest |EI used power kinds instead, where 
Power (A) does not enjoy the status of a type itself. 

As far as I know, power types have not been studied extensively since 
Cardelli’s work; this is perhaps the first in-depth study. First I define a calculus 
called Xpower (Section E|). It is almost a fragment of Cardelli’s system, except for 
a richer power introduction rule and an equality judgement. Then I give some 
brief examples (SectionED, before considering the meta-theory (Section EJ and a 
semantics (Section El). The semantics and some of the meta-theory are based on 
rough typing, a way of assigning “rough” non-dependent types to X power terms 
(Section 0). Finally, Section Q summarizes. 

2 Examples in X Power 

As a calculus of functions, X Power is no more expressive than the simply- typed 
A-calculu^In contrast with Cardelli’s system, it is predicative: we cannot write 
a function which operates on any type, so there is no System F style universal 
polymorphism. All type operators are parameterised on subtypes of a given 
type. Despite this, Xpower can express complex typings, because of the powerful 
combination of dependent types and arbitrarily nested power types. 

2.1 A Simple Programming Example 

Suppose int is an atomic type and let /perm be the context: 

nat : Power {int), 

Upto : nat —>■ Power (nat), 

Perm : Ilmnat. Power{{Upton) {Upton)) 

Invperm : Ilmnat. {Permn) {Permn) 

Imagine that Upto n stands for the set { m G nat \ m < n}, and Perm n is the 
set of permutations of { I, . . . , n }, which is a subset of the set of functions from 

^ If M is typable in Xpower, then the type-erasure of M can be assigned a simple type, 
treating II and Power as families of constants. 
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Upton to Upton. The function Invpermnp yields the inverse of the permutation 
p on such a set. Here is a function to apply the inverse of a permutation of 
{ 1, . . . , n } to a number in that range: 

ApplyPerm Xn:nat. Xp:Permn. Xm:Upton. Invpermnpm 

Using subsumption for Invpermnp, we can get the expected typing: 

UpERM i> ApplyPerm : IIn:nat. {Permn) — (Upton) (Upton). 

which reveals that ApplyPerm n / is in fact a function from Upto n to Upto n. 



2.2 Subtyping Type Operators and Families 

Systems of higher-order subtyping extend subtyping to type-constructors. The 
prototypical one is F< |S|, in which one can declare a type variable ranging 
over type operators, F < (Xf3 < nat. List((3 x /?)). A system with dependent 
types instead of polymorphism is AP< 0, in which one can declare a variable 
ranging over type families, G < (Xx'.nat. VeCnat(5*x)). In the first case, F ranges 
over constructors that map a subtype (3 of nat to a subtype of List(P x /3); in 
the second case G ranges over constructors that map an element x of nat to a 
subtype of the type of vectors of numbers with b*x elements. Both systems have 
a pointwise rule for subtyping operators and a corresponding application rule: 

F, a : K \> A < B 

F 0 Xa:K.A< Xa:K.B (SUB-A) 



F t> H < J F > JG : K 
F 0 HG < JG 



(SUB-APP) 



The second premise of (sub-APp) ensures that the application J C is well-typed; 
this implies that H G is also well-typed. Here’s an example using (sub-APp): 



Gn < (Xx'.nat. VeCnat(5 * x)) n 
(Xx'.nat. VeCnat(5 * x))n < VeCnat(5 * n) 

Gn < Vec„at(5*n) 



(where n : nat in the context). This is derived using conversion and transitivity. 

In Xpower, there is no rule directly corresponding to (suB-A). Indeed it is 
impossible to prove anything with the form F > Xa:K. A : Power(G). The rules 
above are hard to interpret semantically, because the interpretation of Xa:K. A : 
Power (G) must be considered pointwise rather than as a subset inclusion, so the 
meaning of Power would depend on its context in a term. 

Perhaps surprisingly, power types can express similar typings without the 
pointwise rules. Suppose that F is a subtype of a type-constructor FI with domain 
K; this is like asking F to be an element of Ba:K. Power (H a), since each 
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application F M must be a subtype of FI M. This “ 77 - like” expansion for II- 
types works uniformly^ and we can declare: 

F : np-. Power (nat). Power {List{(3 X P)) 

G : Ilx-.nat. Power {VeCnat{I> * x)) 

To derive Gn < VeCnat{5 * n) we need only one use of ordinary application: 

G : Flx'.nat. Power{ VeCnat (5 * x)) n : nat 
Gn : Power {Vec nat (5 * n)) 

Substitution in the application rule for dependent products takes place of conver- 
sion and transitivity needed before, so derivations in X Power can be more direct^ 

2.3 X Power as a Logical Framework 

Xpower is related to AP, which underlies the Edinburgh LF It’s quite easy to 
see that Xpower can be used in the same way as AP. Let v be an atomic type. 
Then declare a universe of types by writing U =def Power (v). We can use U 
in place of Type in LF, to declare the term formers and judgements of a logic. 
li F \> A : U and F, x : A > B : U, then we do not have F > IIx:A. B : U, 
but rather F > IIx:A.B : Power {Fix: A. v). Since AP lacks quantification or 
abstraction over types, this difference has little effect, and we can translate any 
AP judgement into one which holds in ApowefB With power types we can declare 
one syntactic category to be a subtype of another, or one judgement to be a 
subtype of another, so that every proof of the first judgement is also a proof of 
the second. This is also possible in the proposals studied in CUE], but A Power 
goes beyond both these systems by allowing refinements of the universe U itself. 

Gardner proposed doing this |S| to help adequacy proofs. She defined a frame- 
work ELF-b which distinguishes between terms that represent: object-level syn- 
tax, proof terms, and other terms. To emulate ELF-I- in Xpower, declare three 
subtypes: Sort : Power {U), Judge : Power {U), and Type : Power {U). 

An encoding where power types are useful is higher-order logic (HOL) . Sim- 
ple types T of the form t, o, and r =b r are encoded in an LF type dom : Type, 
with i, o : dom, =b: dom — >■ dom — >■ dom and obj : dom — ^ Type. HOL terms 
with domain r are represented as elements of obj (r). ELF-I- improves this, show- 
ing dom and obj to be artifacts of the encoding, inhabiting Type, and typing 
obj : dom — >■ Sort, showing that elements of obj(r) correspond to object logic 
syntax. But in both LF and ELF-b, the proliferation of obj quickly pollutes large 
terms. In Xpower, we can remove it altogether and declare dom : Power (Sort). The 
mapping obj is now implicit; the representation of the logic becomes more con- 
cise, yet no less accurate. For example, the application term former becomes: 

app : TTs, t : dom. (s=bt)— >-s— 

^ This idea also appears in Crary’s XK system which has power kinds Q. 

® But practical effects on type-checking algorithms have not been investigated yet. 

^ Perhaps, moreover, Xpower is conservative over AP under this translation. 
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instead of 

app : TTs, f: dom. obj (s => t) — > obj (s) — 1 obj (t). 

Although simple, it is important to emphasise that this example goes beyond 
many other sub typing proposals. Power types apply uniformly; other systems 
would have to be extended with sub-kinding to cope with this example. 



3 The System Xpower 

Let V be a fixed countable infinite set of variables and /C be a set of atomic type 
constants. The set T^; of pre-terms is given by: 

T::=/C I V | AV:T.T | TT | iIV:T.T | Power{T) 

(writing T as short for T;^)- For meta- variables I use x,y, . . . G V, k, . . . G 1C, 
and A,B, . . . , M, N, . . . G T . Usual conventions are used for writing pre-terms. 
A pre-eontext is a sequence of variable declarations Xi : Ai,X 2 : A 2 . . . where no 
variable is declared more than once. The empty pre-context is sometimes written 
0, otherwise it is invisible. I use F and variants to range over pre-contexts. 

Not all pre-terms make sense. The well-formed pre-terms consist of terms 
and types, defined in Definition Id . II below . These are not disjoint; types are also 
terms of the calculus. Terms and types are defined via three judgement forms: 

> r T is a well-formed context 

r > M : A In context F, M has type A 

F > M = N : A In context F, M and N are equal at type A 

These judgements are defined simultaneously by the rules shown at the end of 
the paper. The system Xpower is close to a predicative fragment of Cardeilli’s 
original system the difference is that we use an equality judgement in the 
presentation, and the more powerful (refl). Here is a brief outline of the rules. 
Context formation (Figure 0). These rules are standard. The judgement 
F > A : Power (B) serves to say that A is a well- formed type, as well as asserting 
that A is a subtype of B. This is a general pattern. 

Typing rnles (Figure GJ. Most rules are standard. The rule (atomic) intro- 
duces atomic types; each atomic type is a subtype of itself, so is self-evidently 
well-formed. The rule-scheme (reel) is novel, it expands to this: 

F t> M : FLxi'.Ai. . . . FIXn-An- Power{B) 

F > M : Flxi'.Ai. . . . Flxn-An- Power{M xi ■ ■ ■ Xn) 



Reflexivity of subtyping for types is the case that n = 0. For each n > 0, 
the rule (reel) asserts reflexivity of subtyping for n-ary type-valued functionqj 
(the example in Section ^3 motivates this). The rule (IT) generalises the usual 

® A technical note: (reel) adds a case of ry-subject reduction to the sytem; if y : 
ITx:A. Power(B) then with (A) we get Xx-.A.yx : Ux:A. Power(y x), but we need 
(reel) to get y : Ux'.A. Power(y x). 
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contravariant sub typing rule for function spaces to dependent products. The last 
premise is a well-formedness check. 

Equality rules (Figure |2). These rules are standard. 

Definition 3.1 (Terms, types and subtypes). We say that M is a T-term 
if for some A, F > M : A, A is a F-type if for some B, F > A : Power{B), 
and A is a subtype of B in F if F > A : Power (B). 

The adjective “well-formed” emphasises that a pre-term can be typed in the 
calculus, as required by Definition ft. II There are three derived judgement forms: 

F > A < B =def F \> A ■. Power (B) 

F \> A type for some B, F \> A ■. Power (B) 

F > A = B for some C, F t> A = B : Power {C) 

Section 2] shows that these definitions make sense. 

4 Properties of Xpower 

The development begins with showing derivability of several rules: that the in- 
duced subtype relation is a pre-order, and that type equality is reflexive and 
symmetric. I distinguish derivable rules from those which are admissible but 
not derivable because in the semantics we consider some important admissible 
rules (namely, substitution and thinning) as part of the system, making sure they 
are valid in every model. Some authors add these “important” admissible rules 
to the presentation but this spoils the inductive proof of several meta-properties. 

Notation ^.1. Let F = x\ : 4i, ... be a pre-context. Let Dom(F) =def { x ±, . . . } 
be the set of variables F declares, F\^^ xi : Ai, . . . ,Xi-i : A^_i be the re- 

striction of F up to Xi-i- Define F{xi) =jef A^, viewing F as a partial mapping 
F : V ^ T. Define F C F' iff every declaration Xi ■. Ai in F also appears in F'. 

I use J to range over judgements of the system, and F > J for a judgement with 
context F. A simultaneous substitution is a partial map from variables to pre- 
terms; a renaming is the special case of a simultaneous substitution which is a 
bijection on a subset of V. Substitution is extended to contexts and judgements 
componentwise, e.g., ii F = x\ \ Ai, . . . then F[N/x] = X\ : Ai[N / x],X 2 :,.... 

We first prove by induction on derivations that the usual good properties for 
subtyping systems hold: context formation, renaming, thinning, substition and 
bound narrowing (replacing x : A with x : A' where A' : Power {A)). Next we 
show the important formation and type correctness properties. 

Proposition 4.2 (Formation). 

F F > Xx:A. M : C F A type and 3B. F, x : A > M : B. 

2. F>MN:C 3A,B. F>M:Bx:A.B and F > N : A. 

3. F > FIx'.A. B : C F \> A type and F, x : A > B type. 

4-. F t> Power (A) : C => F \> A type. 
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Proposition 4.3 (Type correctness). 

1. r > M : A => r t> A type. 

2. r t> M = N : A r t> A type and F > M, N : A. 

The few basic equality rules of Figure0have some important admissible rules 
as consequences, proved using the propositions above. These include congruence 
rules for the type constructors, and rules of subsumption, conversion and sub- 
stitution for the equality judgement itself. For details, see |2j. An important 
intermediate stage is proving the transitivity of type equality, using this rule: 



r t> A = B ■. Power {C) 
r > A = B : Power (B) 



(eq-sub-refl) 



This shows that type equality is “absolute” , in the sense that the derivability of 
A = B ■. Power (C) is not affected by the choice of C when A and B are types 
such that A, B : Power{C)^ln general, we expect this for type equality, but not 
necessarily for term equality. It is typical for subtyping calculi that the equality 
of two terms may vary across their common types. The semantics considered 
later reflects these ideas. 



4.1 Further Properties 



We would like to prove more about the Xpower system than the properties in 
the previous section. One desirable property is the important practical property 
of subject reduction: li F \> M : A and M — M' , then F > M' : A too. 
Unfortunately it seems difficult to prove for Xpower- The key is a generation 
principle, which gives a way of decomposing derivations by stating how a par- 
ticular judgement was derived. Proposition 14.21 is a weak generation principle, 
but it is not strong enough. For a judgement F t> N : C, we need a principle 
which connects C with the judgements about subterms of N asserted to exist. 
For the A-case, a first approximation might be this: if F > Xx\A. M : C then 
C = Flx'.A' . B', where F > A' < A and there is a F such that F, x : A > M : B 
and F, x : A' > B < B' . This captures the observation that after applying 
(A) there can be several subsumptions and conversions through which Flx'.A. B 
mutates into C: 



X ■. A > M ■. B 



Xx-A. M 



Ux\A. B 



Xx-.A. M : Ci 



Cj < Cj+i 



Xx:A. M : Cj+i 



(sub) 



Xx-.A. M : Ck 

Xx-.A. M : Ck+i 



Ck — Ck+i 



(CONV) 



Xx-.A.' M -. C 

If there is a C' such that B : Power {C') then A = B -. Power {C') too by 
(eq-SUB-refl), (Power), and subsumption for equality. 
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The cut-like rules (sub) and (CONV) make it hard to prove the statement di- 
rectly, because to “join up” the arbitrary C^’s in the intervening typings we nant 
to use the generation principle being proved. It is worse than this, because (refl) 
can introduce other detours, so the putative statement above needs altering. 

The traditional syntactic solution to this problem is to give a syntax- directed 
reformulation of the system, eliminating the cut-like rules. Unfortunately this 
technique does not apply easily to \ power- The sticking point is bounded operator 
abstraction which makes it hard to prove substitution lemmas in the syntax- 
directed system before proving other properties which depend on substitution. 
A related solution involves giving a revised definition of the subtyping relation 
from the outset, on pre-terms. This too is difficult for power types, which have 
no separate subtyping judgement anyway. The problem remains open. 



5 Rough Type-Checking 

Although \power is a dependently-typed calculus, we can approximate type- 
checking using “rough” types without term dependency. Rough type-checking 
is useful because it enforces a structural well-formedness property that is neces- 
sary for typability in the full system. Two pre-terms which are in the full typing 
relation of X power have related rough types, and two terms which are equal in the 
equational theory have the same rough type. The idea of rough type-checking 
comes from ca, which suggested that rough types could be used to give a se- 
mantics to ASL-b. This is done for Xpower in Sectional Another application of 
rough types is the proof of strong normalization for Xpower pj- 

5.1 Rough Typing System 

Given a set K of atomic types, the set Tyj^^ of rough types over K consists of 
type constants, arrow types, and power types, defined by the grammar: 

Ty::=/C | Ty ^ Ty | p(Ty) 

(writing Ty as short for Ty^). I use t,v,. . . to range over Ty. There are two 
rough typing judgements, using filled triangles: 

► r U is a roughly-typable context 

T ► M : r M has rough type r in U 

The judgements are defined inductively by the rules in Figure 01 Notice that full 
Xpower contexts are used in the rough typing judgements. 

One can understand the rough typing rules as an abstract interpretation 
of terms-in-context, which follows set-theoretic intuitions for the calculus. The 
rough type of a term tells us what kind of beast it denotes: lambda terms denote 
functions and have arrow rough-types; atomic types and power types denote 
collections of values and have power rough-types. A term Ux:A. B has a rough 
type of the form P{t =b v), indicating that it denotes a collection of functions. 
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Example 5.1. To illustrate rough typing, recall the example context /perm from 
Section o We can derive these rough typings: 

/pERM ► Perm : int =» P{int int) 

/pERM ► tnvperm : int ^ {int ^ int) => {int ^ int). 

At once we see how “rough” this is: Perm and Invperm were defined on nat, but 
nat gets replaced by the atomic type int. 

In general, rough typing judgements — or to be more precise, their translation 
got by mapping r => u to IIx:t. v — do not hold in the full Xpower type system. 
Certainly we do not have: 

/pERM i> Perm : int — i Power{int int) 

because, for starters, Perm is not defined on all of int. In Proposition 16.41 we 
prove that typability in the full calculus guarantees rough typability. The above 
example shows that the converse fails, since: 

/pERM,* : int ► Permi : P{int ^ int) 

but Perm i cannot be typed in the full system0. 

It is easier to establish properties of the rough-typing system than the full 
system, because the types are non-dependent and subtyping has been removed. 
First, we have the usual thinning, substitution and also strengthening properties 
for the rough type system. Then we can prove decidability and subject reduction. 

Proposition 5.2 (Properties of rough typing). 

1. If r ^ M : T, then r is the unique such rough type. 

2. Rough type-checking and rough type-inference are decidabl^ 



Proposition 5.3 (Subject reduction for rough typing). If E ► M : t 

and M — M' , then E ► M' : r too. 

The agreement property below is the important connection between rough 
types and typing in full X power, claimed at the beginning of this section. 

Theorem 5.4 (Agreement of rough typing). 

1. If > E then ► E. 

2. If E > M : A then for some r € Ty, T ► M : r and E >■ A ■. P{t). 

3. If E > M = N : A then for some r G Ty , E ► M, N : r and E >■ A \ P{t) . 



^ To prove this rigorously we need to use a generation principle or model construction. 
® Assuming we can decide syntactic identity of atomic types, i.e., whether k = k' . 
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6 Semantics 

Subtyping calculi have two basic kinds of model. With a typed value space, we 
may choose a coercion semantics, where each use of subsumption is modelled 
by the insertion of a coercion from type to supertype, li A < B, there is a map 
CA.B '■ 1^1 — >■ [.S]. This is a general setting, but it requires a coherence property 
of the interpretation, to show that different ways of putting coercions into a 
coercion-free judgement have the same interpretation. The coherence property 
can be difficult to establish. The other kind of model is a containment semantics 
in which subtyping is interpreted as containment between types: |A| C |i?|. 
There is no problem of coherence in this case, but there is a difficulty with 
the rule for subtyping 7T-types. In the syntax we have int —>■ int < nat int, 
but this does not hold as a set-theoretic inclusion; Z — Z ^ N — >■ Z when the 
semantic — >■ is set-theoretic function space. This is usually solved by interpreting 
nat — >■ int as the collection of all partial functions defined at least on N; then 
the inclusion Z ^ Z C N ^ Z holds. But then we need a universe of values over 
which to form this “collection of all partial functions,” and this is what leads to 
an untyped value space in containment semantics. Typically, the untyped value 
space is the domain of a model of the untyped A-calculus, and the denotation of 
a term is defined using its type-erasure m- But it is a surprising overkill to base 
a semantics for a calculus as simple as A< (the extension of A“*' with subtyping) 
on a model of the untyped A-calculus which requires a universal domain. 

For power types, a containment semantics is natural and is the intended 
model for ASL-I-. I shall and give a containment semantics for X Power which 
is nevertheless based on a typed value space. Rough types make this possible. 
Whenever A < B, then A and B have the same rough type P(r), say, and so 
both may be interpreted as subsets of the interpretation of r: |A| C |R] C |r|. 
Since every type IIx:C.D has a rough type of the form P{tc t^i), we can 
form the “collection of all functions with domain at least IC]” using |tc] as a 
universe, instead of a universal domain. The final ingredient is the equational 
theory of subtyping, where the equality of two terms may depend upon the 
type at which they are viewed. To deal with this, we use PERs rather than 
sets. The following sections give an abstract model definition for Xpower based on 
these ideas, beginning from applicative structures. The reason for an abstract 
definition is to capture both the intended model and a term model; the term 
model is unusual for using an external equality notion rather than quotients 
(because of this extensionality is not assumed from the start). Space reasons 
prevent description of the term model here, see P] for details. 

6.1 Structures 

A X Power applicative structure is similar to a typed-applicative structure for A“*' 
It provides semantic domains for every rough type; the domains are sets. 

Definition 6.1 {Xpower applicative structure). A Xpower applicative struc- 
ture V = {T> , Const, App) eonsists of a family of sets ® eonstant 
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Const{K,) G for each n G K., and a mapping — >■ — >■ 

for each t,v G Ty. Type annotations t, v are sometimes omitted for brevity. □ 



Notation 6.2. Given a set S, REL(5') is the set of relations on S, REL(S') =jef 
Pow{S X S). li R G REL(S'), then dom{R) = {a\a R a}. A relation is a partial 
equivalence (PER) if it is symmetric and transitive; PER(iS') is the set of PERs 
on S. The notation a i— > /(«) stands for the function mapping a to /(a). 



Example 6.3 (Full hierarchy structure). Given a family of sets and PERs C = 
{ Ck,Rk, G PER(C'k) the full hierarchy Tq on C has = 

= REL(:?^^), App{f, m) = /(m), and Const{K) = □ 

In the full hierarchy structure, RP^'^1 is the set of all relations over rather 

than the set of all PERs. This is for a technical reason: because the interpreta- 
tion in the full structure lExamole IP.yIi is defined over rough types, the type- 
constructors are not guaranteed to construct PERs. 



6.2 Environments and Interpretations 

For each roughly-typable context T, we define a semantic domain T>p by induc- 
tion on r, setting = {*} and = T>^ x 'D'^ , where T ► A : P(r) and 

{*} is some singleton set. A E -environment is a nested tuple rj G T>^ . Because 
we use a name-free denotation, if ^ is a renaming on Dom(E) then rj is a, 'T(r)- 
environment iff it is a T-environment. Given a T-environment rj G T>^ , we can 
define a projection function from the variables of E : 



rj 



4Hv) 

T---A^y) = 



undefined, for all y. 

fsnd(? 7 ), iiy = x, 
I {istrf)P{y) iiy^x. 



So if r\x ► r{x) : P{t), then rj^ {x) G T>^. Thinning between environments is 
defined using this projection notation. If Ei C T 2 , Vi G and 772 G T>p^, then 
Q 62 ^'^ iff = P 2 ^{x) for all x G Dom{Ei). The notation r|\x^ stands 

for the restriction of a T-environment rj to variables declared before Xi, meaning 
the shorter tuple fst^~^{rj) where Xi is the Ah variable of n declared in E. 

Unlike a partial function environment, this tupled form has an explicit notion 
of the domain 1)^ associated to a context. We need this because relations over 
T>^ are used in the soundness proof. Using tuples gives us an interpretation 
function reminiscent of the semantics of A“*' in (set-like) GGGs. 

Definition 6.4 (Xpower interpretation). A Xpower interpretation inT> consists 
of a meaning function |U ► — : r]_ : T ^ T>p , for each roughly-typable 

context E and r G Ty, such that whenever E ^ M : t and rj G , then 
|T ► M : G , and for each r G Ty, a mapping ReT : T>p^'^^ — >■ REL(T>'^) 

Type annotations r may be omitted for brevity. □ 
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When a € I sometimes use Ra as shorthand for /?e/^(o). The map- 

ping Rel models the behaviour (or extension) of elements denoting types, just 
as App models the extension of elements denoting functions. It is part of the in- 
terpretation so we can consider different “views” of types in the same structure. 
Definition 16. 4l does not require a priori that Ra is a PER, for the reason outlined 
before; instead the soundness theorem will imply that any type of Xpower denotes 
a PER. This differs slightly from other model definitions for dependent types 
which use a partial definition, proved to be total on well-typed terms. Instead 
we require that an interpretation is defined on all roughly-typed terms. 

6.3 Models 

We will use some constructions on relations. Let T> he a, Xpower interpretation. 
Given R S REL(T>”) and G S dom{R) — >■ REL(2?'"), we define n{R,G) G 
REL(P”^’^), Vwr{R) G PER(pP(”)) by: 

/ n{R,G) g iff Va, 5. (a R b)=^App{f,a) G{a) App{g,h). 
a Vwr{R) b iff Rel (a) = Rel{b) G PER(T>”) and Rel (a) C R. 



Fact 6.5. If R G PER(T>”) and G{a) = G{b) G PER(T>'^) whenever a R b, 
then n{R,G) G PER(T>”^'^). 

Definition 6.6 {Xpower environment model). A Xpower environment model 
for a structure T> is an interpretation for T> such that the following 9 conditions 
are satisfied, for all suitable roughly-typahle terms. For roughly-typable contexts 
r,Fi,r 2 and all p G T>^ , pi G , 772 G with C 772^^, 

CONST = Const{K). VAR = p^{x). 

C 0 NST 2 e PER(P«). APP {M = App([M]^, [fVl^). 

FAMILY If for all a, b {a b) 

Rfnx-.A.BJ^ = n(RlA^,a^ RfBJ^^^a))- 

SUBSET RiPoweriO}^ = RwriRic}.,^). 

ABS //Vd,e. d Riaj^ e => I^1(t 7, e)- 

Vd,e. d e App[lXx:A. M\.^,d) I^I(p,e)- 

THIN If F is a renaming on Dom{Fi) such that ^(Li) C Tj; then |^(Ti) ► 
<P(M) : = [T 2 ► M : 

SUBST If Fi = r,x : A, F', F2 = F, F'[N/x] then [A ► = [A ► 

P'fomded pi^^{x) = [T ► e /?e/(|r ► □ 

Axioms CONST, VAR, APP are standard. C 0 NST 2 requires that atomic types 
denote PERs. FAMILY and SUBSET define the extension of the denotation of 
types of the form IIx:A.B and Power (G). ABS ensures the soundness of the 
three equality rules which mention the A-constructor. 
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Example 6.7 (Full hierarchy model). We define an interpretation by: 

Rel{A) = A 
|r ► a; : T ]^ = 

|r ► K : P(k)1^ = -Rk 

|r ► Ax: A. M : T ^ = a {F, x : A ^ M : a) 

IF MN:vj^ = App(ir ► M : T ^ [P ► N : r^) 

IF >■ nx:A.B : P{t ^ v)j^ = R(-R[ai^, a R|is]|(^_ ,)) 

IF ► Power{A) : P(P(r))]^ = Pwr(R[A]^) □ 

Lemma 6.8. The interpretation defined in Example E 3 is a model of X Power- 

Here, Rfux-.A. b]^ is not automatically a PER, since the uniformity condition 
that a Ria}^ b example, if H = zx, 

the “rough-soundness” requirement that rj{z) € does not force the value 

of z at one element of 2 ?” to be related to the value at another. This is why we 
generalized to relations. PERs are only guaranteed for well-formed terms. 

6.4 Soundness 

Here we show that when E > M : A, then |MJ„ is in the domain of the relation 
and when E > M = N : A, then |M]j^ is related to by 2?[ai- 

Moreover, Pe/(|H]„) is a PER on where E >■ A \ P{r). But we can only 
expect soundness if the environment 77 satisfies the context in a suitable way. 
The interpretation of a context E is defined by combining the interpretations of 
its components. Let S and T be sets, R £ REL(S'), and G £ dom{R) -A REL(T). 
Then we define 17 ( 2 ?, G) £ REL(S' x T) by: 

p E{R,G) q iff 7 Ti(p) R TTi{q) and 7 T 2 (p) G{tti{p)) 712(5) 

Fact 6.9. If R G PER(S') and G{a) = G{b) £ PER(T) whenever a R b, then 
E{R,G) £ PER(S' X T). 

Definition 6.10 (Interpretation of contexts). Given a model for V and 
a roughly-typable context E, we define |P] £ REL(T>'^) by induction on E, by 
10 ] = {(*>*)} and IE', x: Aj = i 7 ([Pl ,?7 H> i?|r' ► A: p(t) 1 ^)- We say 771,772 £ 
T>^ are related environments satisfying E iff rji |P] 772. 

Fact 6.11. If E is roughly-typable and rji |P] 772, then for all x £ Dom{E), 
r]{{x) 2 ?[ru^B(x):P(r)l^P^ 

Lemma 6.12. Suppose that Rja] G PER(H”) and that d 2?|a] 
d) ~ e) ^ PER(H’^) for all d,e. Then in any model: 



e 
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WEAK-EXT If W,e.d e ^isi(r,,d) 

Vd,e. d RfAj^ App{lXx:A.M^,d) Rfsif^^ a) 

ETA If Vd,e. d e =» App(|M]^, d) -^ppdA^]^, e), then 

Vd,e. d Riaj^ e App(lXx:A.Mx^,d) App(|AT|j^,e) 

Theorem 6.13 (Soundness for models). 

1. If > r then |T]| e PER(T>^). 

2. If r > M : A, then Vpi,p 2 G , Vi I-^I 

3. If r t> M = N : A, then Vpi, p 2 G T>^ , pi 

Corollary 6.14 (Soundness of Typing). 

pGdomlr} Mpei?|Ai^. 

7 Conclusions 

This paper introduces the type system Xpower, a predicative fragment of Cardelli’s 
original power type system P] . Power types provide a cunning way of dealing with 
the subtyping judgement at the same time as the typing judgement. At first sight 
it appears to be a simplification, because two separate concerns are combined 
into one. However, the generalisation which occurs from using Power (A) as both 
a term and a type leads to complication of the meta-theory. 

The semantics of X Power is set-based, but uses partial equivalence relations to 
interpret equality. The subtyping relation induced by power types is understood 
as inclusion between PERs. In contrast to other semantics for subtyping or 
dependent types, the intended model is made by “carving out” from a classical 
set-hierarchy, without using a universal domain. Every term in X Power has a rough 
type which is either an atomic type, or one of the forms r => u or P{t), where r 
and V are rough types. These rough types are used to structure the set hierarchy. 

Several important results are established. Unfortunately, there are still gaps 
in the meta-theory of Xpower'- ideally, we would like to prove a generation principle 
and thus prove subject reduction for Xpower, which seems less straightforward 
than might be hoped (but no counterexamples have been found). 



^1^1 r;i I-^1?72' 

in r?2 ^ iMjp, RlAlrj, Mpr 
If r > M : A, then for all p, 
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o r 



r > K : Power{K) 

\> r X P: Dom{r) 

r t> X : r{x) 

r, X : A > M : B 
r > Aa::^. M : IIx:A. B 

r > M : Bx-.A. B B > N : A 
r > M N : B[N/x] 

r \> M : A r \> A : Power {B) 
r > M : B 

r \> M : Tlx\A. Power{B) 
r \> M : IIx:A. Power{M x) 

r > M : A r > A^ B : Power{C) 
r > M : B 

r t> A* : Power (A) 

r, X : A' \> B : Power {B') 

r, X : A > B : Power (C) 

r \> rixiA. B : Power (ITx:A' . B') 

r \> A : Power (B) 
r > Power{A) : Power {Power (B)) 



(atomic) 

(var) 

(A) 

(app) 

(sub) 

(refl) 

(CONV) 

(n) 

( Power) 



> r 



>0 

r > A : Power(B) 
> X : A 

r > M : A 



r > M = M ■. A 
r > N = M : A 



r > M = N : A 

r > M = N ■. A r > N = P ■. A 
r > M = P : A 

r, X ■. A > M = M' ■. B 
r > Xx:A. M — Xx:A. M' : IJxiA. B 

r > M = M' ■. Bx-.A. B 
r N = N' -. A 

r > M N = M' N' -. B[N/x] 

r, X : A > M -. B r > N : A 
r > (Xx-.A. M)N = M[N/x] : B[N/x] 

r t> M : Bx-.A. B 

r > Xx-.A. M X — M : Bx-.A. B 



(empty) 

(extend) 

(eq-refl) 

(eq-sym) 

(eq-trans) 

(eq-A) 

(eq-app) 

(EQ-/3) 
(eq-?7) 



Fig. 1. Typing rules 2. Context and equality rules 



► 0 



r ► A : P(r) r, X : A ^ M : V 
r ► \x:A. M : T ^ V 



► r r ► A : p(t) r ^ m -. t ^ V r n -.t 

^ r, X : A r M N : V 

^ r P ► A : P(t) r, X : a ^ B : P{v) 

r ^ K : P{k) r ► IJx:A. B : p(r ^ -u) 



► r ru ► r{x) : p{t) 

P ► a; : T 



r ► A : P(r) 
r ► Power(A) : P(P(r)) 



Fig. 3. Rough typing rules 
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Abstract. We investigate the complexity of the fixed-points of bounded 
formulas in the context of finite set theory; that is, in the context of ar- 
bitrary classes of finite structures that are equipped with a built-in BIT 
predicate, or equivalently, with a built-in membership relation between 
hereditarily finite sets (input relations are allowed). We show that the 
iteration of a positive bounded formula converges in polylogarithmically 
many steps in the cardinality of the structure. This extends a previously 
known much weaker result. We obtain a number of connections with 
the rudimentary languages and deterministic polynomial-time. Moreover, 
our results provide a natural characterization of the complexity class con- 
sisting of all languages computable by bounded-depth, polynomial-size 
circuits, and polylogarithmic-time uniformity. As a byproduct, we see 
that this class coincides with LH(P), the logarithmic-time hierarchy with 
an oracle to deterministic polynomial-time. Finally, we discuss the con- 
nection of this result with the well-studied algorithms for integer division. 

Keywords: Circuit uniformity, BIT predicate, logarithmic-time hierar- 
chy, rudimentary languages, integer division. 



1 Introduction 
1.1 Background 

The Ordered Conjecture of Kolaitis and Vardi states that least fixed-point 
logic LFP is strictly more expressive than first-order logic FO on every infinite 
class of ordered finite structures. Informally, the conjecture expresses an inherent 
limitation of first-order logic to capture polynomial-time computations on finite 
structures, no-matter how rich the combinatorial nature of the structures is. 
The question remains open, and it is known that any way of solving it will have 
important consequences in Complexity Theory. A refutation would imply that 
P ^ PSPACE lig, and a proof would imply that LINK E jlSl. Here, LINK 

* Supported by the CUR, Generalitat de Catalunya, through grant 1999FI 00532, and 
partially supported by ALCOM-FT, IST-99-14186. 



P. Clote and H. Schwichtenberg (Eds.): CSL 2000, LNCS 1862, pp. 172-|1^^ 2000. 
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is the linear-time hierarchy of Wrathall m, and E is the usual complexity class 
that consists of all languages that are accepted by deterministic Turing machines 
in time 

There is a special case of the conjecture, singled out by Gurevich, Immerman, 
and Shelah uni, that is of particular interest. Namely, it is unknown whether LFP 
collapses to FO on the class of all finite structures of the form ({0, . . . , n — 1}, < 
,BIT), where < is the usual linear ordering, and BIT is the binary relation 
that consists of all pairs (p, q) of natural numbers such that the p-th bit in 
the binary expansion of q is one. As pointed out in uni, the collapse happens 
if and only if DLOGTIME-uniform AC° = P-uniform AC° (see Section 0 
for definitions), or equivalently, if and only if LINK = E. Motivated by this 
interesting connection, Atserias and Kolaitis f2] investigated the difficulty of 
settling this special case of the Ordered Conjecture. Their approach is further 
motivated by the existence of a well-known isomorphism between (IN, BIT) and 
(VL,e) (see P), where Vu, is the class of all hereditarily finite sets; that is, 
Vuj = Un>o where Vn+i — 'P(Vn) and Vb = 0. The Ackermann bijection 
e : IN — defined for every n S IN as 

e(n) = {e(m) : the m-th bit of n is one}, 

is the aforementioned isomorphism. Furthermore, by exploiting this mapping 
of BIT into S, Dawar, Doets, Lindell and Weinstein m showed the somewhat 
surprising result that the standard linear order is first-order definable from the 
BIT predicate alone. Hence, the question translates into whether LFP collapses 
to FO on the class BTTZ — {({e(0), . . . , e(n — 1)},G) : n > 0|. In view of 
the Ackermann bijection, we identify the structures ({0, . . . ,n — 1},BIT) and 
(|e(0), . . . , e(n — I)},g), here and in the future, and thus use the notation 
BIT„ = ({0,...,n-l},G). 

This set-theoretic framework led to the study of the fixed-points of the Aq 
formulas of set theory, also called bounded formulas. These are the formulas 
all of whose quantifiers are of the form (3x G y) and (Vx G y) (Sazonov has 
studied the fixed-points of bounded formulas in the context of definability on 
(VbijG), rather than in the context of uniform definability on finite structures; 
see |Sn| for a survey) . It was proved by Atserias and Kolaitis that if the fixed- 
points of positive Aq formulas LFP(Z\q) were first-order definable on BiFTZ, then 
P C LINK and so P PSPACE. Thus, settling whether LFP(Z\q) collapses 
is already a difficulty question. Nonetheless, the authors were able to show that 
the fixed-points of the so-called restricted Aq formulas were indeed first-order 
definable, and so were the fixed-points of all unary and binary Aq formulas. 
Finally back to complexity issues, they showed that the number of times that a 
positive Aq formula has to be iterated until its fixed-point is reached in a finite 
structure, its closure function, is bounded by a polylogarithm of the cardinality 
of the structure on a small subclass of BTTZ. As a consequence, these fixed-points 
are computable in NC on this class. 
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1.2 Main Results 

The isomorphism mapping BIT to the membership relation G constitutes a good 
source of inspiration to obtain results that explain the expressive power of first- 
order logic and fixed-point logic when strong built-in relations are available. The 
results in na and 0 are good examples. Moreover, the set-theoretic framework 
provides new concepts to consider, such as Aq formulas, and new techniques 
to apply, such as absoluteness arguments. However, the complexity aspects of 
LFP(Z\o) were not completely studied in 0, and we feel that the results of the 
present paper complete this study. 

The first result of this paper is the extension of the last result in |S| to 
arbitrary classes of finite structures with built-in membership (BIT) relation. 
That is, we show that the closure functions of Aq formulas are bounded by a 
polylogarithm of the cardinality of the universe of any arbitrary finite structure 
with built-in membership relation. Moreover, we observe that this implies that 
LFP(Z\o) is computable in DPOLYLOGTIME (and not simply in NC) on any 
arbitrary class of finite structures with built-in membership relation. Then we 
focus back to the class BTTZ. We observe that on this particular class, LFP(Z\q) 
is even in (non-uniform) AC° for some trivial reasons. The interesting question 
is then: Which uniform version of AC° is captured by FO -l-LFP(Z\o), the first- 
order closure of LFP(Z\o)? Our second main result is the answer to this question: 
on BTTZ, the logic FO-f LFP(Z\q) captures DPOLYLOGTIME-uniform AC° 
which in turn, coincides with LH^; the logarithmic-time hierarchy of Sipser 
with an oracle to P. As a corollary we obtain an exact characterization of the 
complexity-theoretic difficulties of showing FO -I- LFP(Z\q) = FO on BJ-TZ. We 
show that the collapse is equivalent to P C LINK. Note that LINK coincides 
with the rudimentary languages RUD m introduced by Smullyan m- 

We then consider the descriptive complexity of FO -I- LFP(Z\q) on arbi- 
trary classes of finite structures with built-in membership relation. Somewhat 
surprisingly, we are only able to provide an exact answer in the case that 
the underlying vocabulary of the class of structures is unary (on classes of 
words with built-in membership relation). In that case, FO -I- LFP(Z\q) still 
captures DPOLYLOGTIME-uniform AC°. For higher arities, however, we 
are only able to compare the relative expressive power of FO -I- LFP(Z\o) and 
FO with a complexity-theoretic question. We show that if P C RUD„i/r, then 
FO -I- LFP(Z\q) collapses to FO on any arbitrary class of finite structures with 
built-in membership relation over a vocabulary of arity at most r. The class 
RUD„i/. was introduced by Jones izq as a natural subclass of the rudimen- 
tary languages RUD = RUD„. A result of Allender and Gore PJ implies 
that RUD„. coincides with ATIME(0(n^), 0(1)) for every e S (0,1]. Here, 
ATIME(t(n), o(n)) is the class of languages accepted by alternating Turing ma- 
chines in time t(n) and a(n) alternations. Moreover, as mentioned by Allender 
and Gore, RUD„e contains complete problems of each level of the polynomial- 
time hierarchy PH PHI OSj • 

It is interesting that DPOLYLOGTIME-uniform AC° comes out of our 
results as a natural complexity class (we note that polylogtime uniformity has 
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been considered at least once in the past by Allender and Gore j2j, although in 
a completely different context). The reason amounts to a connection with the 
problem of the uniformity of Boolean circuits for integer division, an interesting 
issue that has received a good deal of attention PElEnillH] See the end of 
Section 0 for more details. Finally, it is obvious that our objects of study are 
intimately related to questions about the rudimentary languages, a well-studied 
topic |51|10ni03E7J|Tl. We point out that the rudimentary languages, and the 
techniques related to them, have been revisited very recently by Fortnow m, 
and Lipton and Viglas 1241 . to obtain significant progress in some important 
open problems in Complexity Theory. 

2 Preliminaries 

Logic. Let a = {Ri, . . . , Rs} be a finite relational vocabulary, and let M = 
(M, . . . , be a finite structure over a. We will always identify the uni- 

verse of M, denoted M, with the initial segment of the natural numbers of 
cardinality \M\; thus, M = {0, . . . , \M\ — 1}. Let R = (i?i, i? 2 , . . .) be a sequence 
of A:-ary relations such that R„ C {0,...,n — 1}^. Let (7 be a class of finite 
structures for a U {i?}, with R ^ a. We say that C is a class of finite structures 
over cr with built-in ii-relation if and only if, for every M G C, we have that 
R^ = R\m\ - Notice that the built-in relation only depends on the cardinality of 
the structure. 

Least fixed-point logic FO -I- LFP is the extension of first-order logic FO 
obtained by augmenting the syntax with a new formula 1jFVx,x'-p{xi, ■ ■ ■ , Xk,X), 
for every first-order formula tp positive in the fc-ary relation variable X. The 
meaning of M |= (LFP5_j5f(/3)[a] is that a G where is the least 

fixed-point of the monotone operator defined by ip on M. We let /™(M) be 

the m-th stage, that is, /™(M) = {a S : M |= (M)]}. It is 

known that FO-I-LFP is closed under nested applications of the least fixed-point 
operator (see fZ|E]). 

We let LFP(Z\o) be the class of formulas of the form . . . , Xk,X), 

where is a Aq formula positive in fc-ary relation variable X. Observe that 
first-order parameters are not allowed, and neither is the nesting of fixed-point 
operators. We let FO -I- LFP(Z\o) denote the closure of LFP(Z\g) under all first- 
order connectives and quantification. 

Complexity. For every natural number n, we let logn denote the length of 
the shortest binary representation of n. If we wish to use the true base-two 
logarithm, we use the notation log 2 (n); thus, logn = [log 2 (n)J -I- 1. We identify 
natural numbers with their shortest binary representation. However, for every 
m G {0, . . . ,n — 1}, we let b„(rn) denote the unique binary representation of 
length log(n — 1) (padded with leading zeros if necessary). 

Our model of computation is the oracle alternating multitape Turing ma- 
chine with random access to the input. This model, originally defined by Ruzzo 
Pl| and used by Barrington, Immerman and Straubing |5|, Buss and Sipser 
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m among others, is a modification of the model of Chandra, Kozen and Stock- 
meyer m to allow sublinear time-bounds. These machines are equipped with 
an address tape on which to write a number in binary. When the machine enters 
a distinguished state with a number p written on its address tape, the head of 
the input tape jumps, in one step, to the p-th leftmost cell of the tape. Strictly 
speaking, the definition of Ruzzo m is slightly different from ours, but standard 
simulation arguments show that both models have the same computing power 
with only a constant factor loss in time or number of alternations (see ^ and 
for example). In the case of deterministic machines, our model is slightly more 
robust, but this will not affect the generality of the results. 

Finite structures are encoded as words over the alphabet {0,1,#} according 
to the following convention. For every relation symbol Ri G a oi arity r, we let 
x{Rf^) be the characteristic sequence of That is, = opai . . . a„r_i, 

where Um G {0#}? and am = 1 if and only if (7Tir._i, . . . , mo) G Rf^ where 
{rrir-i, ■ ■ ■ ,mo) is the n-ary representation of m. Then, the encoding of M is 
just 

(M) = l’^#x(i?f)#...#x(i?f). 

We extend the encoding to include individuals as follows. For every oi, . . . , Ofc G 
M, let (M, oi, . . . , Uk) = (M)#b„(ai)# . . . #b„(ofc). Let C he & class of finite 
structures, and let Q be a /c-ary query on C. We say that Q is computable in 
a complexity class C on C if there exists a language L G C such that for every 
M G C and Oi, . . . , Ofc G M, we have that (oi, . . . , a^) G Q(M) if and only if 
(M, oi, . . . , Ofc) G L. We say that a fc-ary built-in relation R = (i?i, i? 2 , ■ ■ •) is 
computable in a complexity class C if there exists a language L G C such that 
for every n and oi, . . . , G (0, . . . , n — 1}, we have that (oi, . . . , Uk) G i?„ if 
and only if l"'#b„(ai)# . . . #b„(afc) G L. When considering Boolean circuits, 
we are forced to restrict ourselves to the binary alphabet {0,1}. We fix then 
an homomorphism h : {0, 1, #}* — >■ {0, 1}* in a standard way: put h{0) — 00, 
h{l) = 11 and /i(#) = 01 (see Section0for more details). 

3 General Facts about Bounded Formulas 

Recall that the transitive closure of a set a, denoted by TC(a), is defined in- 
ductively as follows: TC(a) = U{T^(^) • ^ ^ The reflexive transitive closure 
of a, denoted by RTC(a), is {a} U TC(a). Our first Lemma says that the satis- 
fiability of a Aq formula only depends on the reflexive transitive closure of its 
arguments. Given a first-order formula p(xi, . . . ,a;„) with free variables among 
Xi, . . . , we let F{ip) be the set of indices of the free variables of p. 

Lemma 1. Let a be a relational vocabulary, let M &e a strueture for a U {g} 
with built-in membership relation, and let (p{xi , . . . , Xs, X) be a Aq formula over 
<J U {g,X}, where X is a k-ary relation variable. For every A C , and 
every tuple d = (ai, . . . , Ug) G M®, we have that M # <p[o, A] if and only if 
M h p[a, A n (U{RTC(ad : i G F(p)})'=]. 
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Proof: We proceed by induction on the construction of The base cases are 
trivial, and so is the case in which Lp is of the form -iip. Suppose that :p is of 
the form A ip 2 - Let B = lJ{RTC(ai) : i S F(ip)} and Bj = y{RTC(ai) : i € 
F('tfj)} for j = 1, 2. Then, M ^ </3[a, AC\B^] if and only if M |= '4jj\a, AAB^] for 
j = 1, 2. By induction hypothesis, this is equivalent to M ^ AC\ B^ C\ B^] 
for j = 1,2. Since F^'ifj) C F{(p), this is equivalent to M ^ ipj[a,A fl B^] for 
j = 1,2. By induction hypothesis again, this is equivalent to M ^ ^^[d, A] for 
j = 1,2, and therefore to M ^ 93[d, A]. Suppose next that ip is of the form 
(3a:i £ Xj)ip. Let B = lJ{RTC(ai) : i G In this case, M \= :p\a, A fl B^] if 

and only if there is some a G M such that a £ Qj and M \= ip\b, A fl R^], where 
b = (oi, . . . , Oi-i, a, Ui+i , . . . , Us). Let B{b) = lJ{RTC(6i) : I £ F{ip)}. Therefore, 
by induction hypothesis, M |= ip\a, A fl B^] if and only if there is some a G M 
such that a £ aj and M ^ iplb, A (1 B'^ (1 B{b)'^]. Since for every a £ Qj we 
have that RTC(a) C RTC(aj), it is the case that B(b) C B. Consequently, 
M 1= (f[a, An B^] if and only if there is some a G M such that a G aj and M |= 
tp\b,Ar\B(b)^], and by induction hypothesis again, M |= ijj\b,A], as required. □ 

For every first-order formula p>{xi^ . . . ,Xk,X) positive in the k-axy relation 
symbol X, we let cy(M) denote the closure ordinal of (p in M; that is, cy(M) 
is the minimum ordinal a such that /^(M) = Ua'ca^^ (^) I2E|- Since the 
reflexive transitive closure of a finite set is relatively small. Lemma fallows us 
to put poly logarithmic bounds on the closure functions of Aq formulas. This 
result extends Theorem 4 in to the case of BFTZ, and in fact, to arbitrary 
classes of finite structures with built-in membership relation. 

Theorem 1. Let a be a relational vocabulary, and let p{xi, . . . ,Xk,X) be a Aq 
formula over a U {£, X} that is positive in the k-ary relation variable X . Then, 

cy(M) < (log(|M| - 1) + kf 

for every finite structure M over cr U {£} with built-in membership relation. 

Proof: Put t = (log(|M| — l)-|-fc)^, and assume for contradiction that cy(M) > t. 
Let do = (ao,i, . . . , ao,fc) £ be such that |do| > t, where |d| denotes 

the minimal m such that d £ /™(M) if d £ and oo if d ^ 

In the following, let I™ be an abbreviation for 7™(M). We build a sequence 
do, di, . . . , dt such that \di\ = |do| — i, and dj £ for every i = 0, . . . ,t, where 
S' = {0, ... , log(|M| — 1) — l}U{ao 4 , . . . , Oo,fe}. This will prove the theorem since 
the cardinality of S^ is at most t. 

For every d = (oi, . . . , a^) £ let S(d) denote the set {0, . . . ,log(|M| — 
1)} U {oi, . . . , Ofc}. Observe that |J{RTC(ai) : i G F{(p)} C S(d) since every 
element in TC(ai) is a bit position of an element in{0,...,|M| — 1}. Assuming 
Qj = ■ ■ ■ ,cii,k) is already defined, we define d^+i = (oi+i^i, . . . ,ai+i^k)- Let 

TO = |di|. Then, M ^ <p[di, 7"*“^]. Lemma [D and monotonicity imply that M |= 
(p[di,7"*“^ n S(di)^]. Observe that since di G S(do)^ by assumption, we have 
that S(di) C S(do). Now let us consider two cases: (i) 7™“^ 0 S(do)^ C 7"*“^, 
or (ii) n S(do)^ % 7™“^. In case (i) we have that M |= <^[di,7’”“^] by 
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monotonicity. Hence, Hi € /"*-i which contradicts the minimality of m = |ai|. 
In case (ii), there must exist some S n S'(oo)^ that does not belong 
to 7’”“^. Observe that |ai+i| = \ai\ — 1, and Oi+i S S{ao)^ as required. This 
completes the proof of the theorem. □ 

The polylogarithmic bounds on the closure functions, together with a result 
of Immerman PSI, imply that every query that is definable as the fixed-point of 
a Aq formula is computable in NC, the parallel complexity class. However, we 
can keep the machine sequential as noted in the following 

Lemma 2. Let a he a relational voeahulary, let C he a class of finite structures 
over a with huilt-in memhership relation, and let . . . ,Xk,X) he a Aq for- 

mula that is positive in the k-ary relation variable X. Then, the query on C 
defined hy the formula (LFP^_x<p) is computahle in DPOLYLOGTIME on C . 

Proof: The idea is that the standard fixed-point computation will only take 
a polylogarithmic number of iterations by Theorem ^ and each iteration is 
computable in polylogarithmic-time because is a Aq formula. More precisely, 
on input (M, oi, . . . , a^), the polylogarithmic-time Turing machine will proceed 
as follows. The machine first determines the cardinality of M, say n. To this 
end, it determines the length m of the input in O(logm) steps using its random 
access to the input (see jEj for this trick) , and then it executes a straightforward 
computation to extract n from m (here we use the fact that our encodings 
are carefully chosen so that their length is determined by the cardinality of 
M, the signature of a, and k). Let B — {0, . . . ,log(n — 1) — 1} U {oi, . . . , 0 ^}. 
The machine will keep, in a separate tape, an encoding of a 7-ary relation on 
B; this will require 0((logn)^) bits of information. Then, it starts a loop that 
is to be repeated (log(n — 1) -I- 7)*^ times. In each iteration, the machine cycles 
through all 7-tuples {hi, , bk) in B^ , and evaluates M |= q}[bi, . . . ,hk,B\ where 
R is the 7-ary relation encoded in the separate tape. Atomic formulas from a 
are resolved by random access to the input, and atomic formulas of the form 
X{ui , . . . , Uk) are resolved by accessing the position of tuple (iti, . . . , Uk) in the 
encoding of R. Observe that each relevant tuple {ui, . . . ,Uk) will be available 
since M \= <p[bi, . . . ,bk,R] if and only if 

M h T[bi,. ■■,bk,Rn (U{RTC(6,) : i G F{q,)})% 

and U{RTC(6i) : i G F{(p)} C B for every {hi, . . . ,bk) G since every element 
of TC(ai) is a hit position of an element in {0, . . . , n — 1}. For the same reason, 
each quantifier is bounded by some hi, and therefore, the variable it bounds 
ranges over at most log(n— 1) elements of the universe. Hence, the computation 
can be done in time 0((logn)’’) where r depends on the number of quantifiers of 
ip. When the evaluation of M ^ T[bi, ■ ■ ■ ,bk,R] is complete, the machine updates 
accordingly the position corresponding to tuple {hi, ... , bk) in the encoding of 
R. Finally, the machine will only have to check whether the tuple (oi, . . . ,Ofc) 
belongs to R at the end of the loop. □ 
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4 Fixed-Points of Bounded Formulas on SJ-'R, 

A closer examination of Lemma 0 in the case of BTIZ reveals that LFP(Z\o)- 
definable queries are also computable in (non-uniform) AC*^; the reason is that 
they only depend on O(logn) bits of the input (in fact, the relevant part of 
the input is that short already). The interesting question at this point is the 
following: which uniform version of AC° is captured by FO-|-LFP(Z\o) on BJ-TZ7 
Our next theorem is the answer to this question. Before stating the result, we 
need some definitions. 

Let C = (Ci,C 2 ,...) be a sequence of boolean circuits, and let s„ be a 
bound on the size of Cn- Thus, gates in Cn may be numbered in {0, — 1}. 

The direct connection language of C (see |S]) is the set of words of the form 
l"'#bs„(a)#bs„(^)#^) where gate b is an input to gate a, and the type of gate b 
is t G {0, 1, 2, 3}. Here, t = 0 means that b is an AND gate, t = 1 means that b 
is an OR gate, t = 2 means that b is an positive input, and t = 3 means that b 
is a negated input. If C is a complexity class, we say that C is C-uniform if there 
exists a language in L S C such that for every word w of the form I'^^a^b^t 
we have that w G L if and only if ic G DCL(C). The class C-uniform AC° 
is the class of all languages that are accepted by a C-uniform, polynomial-size, 
bounded-depth, family of circuits (for languages L C E* with S ^ {0, 1}, we 
say that L is accepted by a family of circuits C if h{L) is accepted by C for some 
fixed homomorphism h : S* — >-{0,1}* 0). 

Theorem 2. Let Q be a query on BTTZ. The following are equivalent: 

1. Q is eomputable in LH^ on BfFTZ, 

2. Q is computable in DPOLYLOGTIME-itm/orm AC'^ on BfFTZ, 

3. Q is definable in FO -I- LFP(Z\q) on BfFTZ. 

Proof: We close a cycle of implications. We first show that (i) implies (ii). Assume 
that Q is computable in LH'^ for some A gP. We may assume A C {0, 1}*. For 
every n, let Fn{xi, . . . , x„) be the following DNF-formula 

V ( A A 

aeAn{0,l}" \ai = l Qi=0 

Observe that Fn{ai, . . . , a^) is true if and only if the word oi . . . a„ belongs to 
A. The sequence (Fi, F 2 , . . .), interpreted as a sequence of depth-two circuits, is 
exponential-size in n, but P-uniform (the words of its direct connection language 
are of the form V^ffaffbfft with a,b G {0, and deciding membership can 
be done in polynomial-time since A G P). We now build a DPOLYLOGTIME- 
uniform family of AC° circuits to compute Q. Let M be an oracle alternating 
Turing machine witnessing that Q is computable in LH^, and assume that M 
queries its oracle at most once in each computation path (this is a standard 
trick in alternating machines; it consists of existentially guessing the answers, 
write them down on a separate tape together with the nondeterministic branch 
taken at each step, and at the end of the computation, universally branch to 
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check the correctness of every guess by deterministically resimulating the com- 
putation path until the challenged query is asked). Let clogn be a bound on the 
running-time of M on inputs of length n. Observe that the length of each oracle 
query is bounded by clogn too. As in 0, we may see the computation trees 
of M as a DLOGTIME-uniform family of AC° circuits, except for the oracle 
queries, which may be resolved by DPOLYLOGTIME-uniform AG° circuits; 
namely, we let queries of length m < c log n be resolved by the circuit above 
(exponential-size in m < c log n is polynomial-size in n, and polynomial-time 
uniformity for length m < c log n is poly logarithmic-time uniformity for length 
n). It follows that Q is computable in DPOLYLOGTIME-uniform AG°. 

We see that (ii) implies (iii). Let Q be computable in DPOLYLOGTIME- 
uniform AG*^ (recall the convention established just before the statement of the 
theorem) . It is well-known that Q is then first-order definable with an addi- 
tional built-in relation R — i? 2 , • . •) that is computable in polylogarithmic- 

time. We show how to replace every occurrence of this built-in relation by a 
formula of FO -I- LFP(Z\o). For every n and a = (oi, . . . ,Ofc) € {0, . . . ,n — 1}^, 
let Ma = ({0, . . . , log(n — 1) — 1}, S, P”, . . . , P^), where P" = {m : m G a^}. 
Since P is a built-in relation computable in polylogarithmic-time, the language 

{1 ^b7i(ui)^ . . . ■ (ai, . • . , CLk) G Pni ^ ^ 1} 

is decidable in polylogarithmic-time on inputs of the appropriate form. A simple 
unpadding argument shows then that the language {(Mq) : d G Un>i is in 
P (the length of (Ma) is logarithmic in the length of ({0, . . . , n— 1}, oi, . . . , a^)). 
Hence, by the Immerman-Vardi Theorem, the boolean query Q = {Ma : d G 
Un>i definable in least fixed-point logic on the class of all structures of 

the form Mq. We may even assume that Q is definable by a sentence of the form 
(LFP^^xV^)(0) in which (/? is a first-order formula, and 0 is a constant for zero. Let 
(p'{y, z,pi, . . . ,pk,x, X) be the first-order formula over the vocabulary |g} that 
results from the following substitution in p: replace each occurrence of an atomic 
formula of the form Pi{u) by u G pp, replace each atomic formula of the form 
X{u) by X{y, z,pi , . . . ,pk,u)', and replace each subformula of the form (3u){ip) 
by (3u G y){4’') V (3it G z){'ijj'), where ij)' is the result of applying recursively the 
substitutions. Clearly, ip' is a Aq formula. Moreover, it is not hard to see that 
for every oi, . . . , G (0, . . . , n — 1}, we have that Ma 1= (LFP^^xip)(0) if and 
only if 



({0, . . . ,log(n - 1) - 1 },g) h {P^Py,z,p,x,xv')i.'r,s,ai, . . . 

where s is the largest power of two in the universe, and r = s — 1 (observe that 
the binary representations of s and r are dual words; that is, j G s if and only 
if j ^ r for every j < log (log (n — 1) — 1)). Since r and s are first-order definable 
with G, we have shown that R is uniformly definable on BPTZ by a sentence of 
FO-f LFP(Z\o). 

It remains to see that (iii) implies (i). Let ip{xi, . . . ,Xs) be a formula wit- 
nessing that Q is definable in FO-f LFP(Ao). Without loss of generality, we may 
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assume the following normal form for ip\ 

S 

(Qiyi) ■ ■ ■ {Qryr)il\{i’i,i v . . . v v v 

i=l 

where each Qi is 3 or V, and each is either an atomic formula, or a formula 
of the form {h¥Y’- 2 ^z&){zi, . . . ,Zg), with 0 a Z\q formula. For every j,j, let Qij 
be the query on BTTZ defined by let A be the following language over 

the alphabet {0, 1,#}: 

{n#b„(6i)# . . . #b„(6,)#i#j : {b,, . . . , 6,) G Q,,,(BIT„)}. 

This language will be our oracle set (that it belongs to P will be shown later). 
An alternating Turing machine with oracle A may simulate (p as indicated next. 
On input (BIT„ , oi, . . . , Cfc) where oi, . . . , G {0, . . . , n — 1}, the machine 
behaves as follows. First, it computes n. To this end, it existentially guesses 
the position of the leftmost ^ in the input, and universally branches to check 
that every smaller position contains a symbol other than Then, following 
the alternation pattern of the quantifier prefix of ip, the machine existentially or 
universally guesses r words of length log(n — 1) each. The i-th word 

Wi is meant to be the binary representation of an element bi G {0,...,n— 1} that 
is to interpret the first-order variable yi . The machine proceeds then to evaluate 
each atomic formula ipij as follows. Assume . . . ,Zs), where each 

variable Zk is either an xi or a, yi. The machine will write an oracle query of 
the form n#di# . . . where dk = b„(5;) if Zk = yi, and dk = b„(o/) if 

Zk = xi- Observe that the length of this query is O(logn), and is easy to recover 
from the input (existentially guess each b„(a;) and universally branch to check 
that all guesses match the input). Clearly, the answer to this query is yes if and 
only if BIT„ \= -tpijldi, . . . ,ds] by the definition of the oracle set A. 

All it remains to show is that the language A belongs to P. This is fairly 
easy. If 'ipij is an atomic formula, there is almost nothing to see: equalities are 
checked at once, and atomic formulas of the form Zi G Zj are also straightforward 
to check. If ijjij is a formula of the form (LFPz_20)(zi, . . . , Zg) with 6 being a 
Z\q formula, then the query it defines is computable in DPOLYLOGTIME 
on BTTZ by Lemma 0 Therefore, since the length of . . . #ds#i#j is 

logarithmic in the length of (BIT„, di, . . . , c?g), a simple unpadding argument 
puts A in P. □ 

As a corollary, we obtain a characterization of the question on whether all 
polynomial-time decidable languages are rudimentary. The relationship between 
P and RUD remains unknown. It is known however that NL C RUD 123, 
where NL is the class of languages accepted in nondeterministic logarithmic- 
space. 
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Corollary 1. The following are equivalent: 

1. ¥0 + LFP(Zlo) C FO on BTU, 

2. PC RUD, 

5. P C LINK. 

Proof: Since RUD = LINK = ATIME(0(n), 0(1)), it is enough to show that 
(i) and (iii) are equivalent. The implication from (i) to (iii) follows from Theo- 
rem 1 in [ 3 . For the other implication, assume that P C LINK, and let Q be 
a query on BtFTZ that is definable by a FO -I- LFP(Z\q) formula. By Theorem 0 
we have Q is computable in LH^, and so in by hypothesis. Let M be 

an oracle alternating Turing machine witnessing that Q is computable in LH'^ 
for some A £ LINK, and let N be an alternating Turing machine witnessing 
that A £ LINK. Since an oracle Turing machine running in logarithmic-time 
can only ask logarithmically long queries, oracle queries of M may be answered 
by N in logarithmic-time with respect to the input to M. The number of al- 
ternations being constant, it follows that Q is computable in LH. Hence, Q is 
first-order definable on BTTZ. □ 

5 The Presence of Input Predicates 

The natural question at this point is what happens when input predicates, in 
addition to the membership (BIT) relation, are available. That is, we fix a re- 
lational vocabulary a, and we wonder what is captured by FO -I- LFP(Z\q) on 
classes of finite structures over a with built-in membership relation. Somewhat 
surprisingly, we are only able to provide an exact answer in the case that cr is a 
unary vocabulary. In that case, the LFP(Z\o)-definable queries still only depend 
on O(logn) bits of the input, and a similar argument as before goes through. 

Theorem 3. Let a he a unary voeabulary, let C be a class of finite structures 
over a with built-in membership relation, and let Q be a query on C . Then, the 
following are equivalent: 

1. Q is computable in LH^ on C, 

2. Q is computable in DPOLYLOGTIME-itm/orm on C , 

3. Q is definable in FO -I- LFP(Z\q) on C. 

Proof: The proofs that (i) implies (ii), and that (ii) implies (iii), go through 
as in Theorem 0 essentially without change. The proof that (iii) implies (i) 
uses an argument similar to the one in the proof of Lemma 0 Recall from 
Lemma 0that if is a Aq formula, then M |= :p[ai, . . . ,ag, A\ if and only if M |= 
q}[ai , . . . , Os, A n (|J{RTC(ai) : i £ F((/j)})^]. Iterated application of this lemma 
with each of the relation symbols of cr shows then that M |= y)[ai, . . . , Og, A] if 
and only if 

MnR h p[ai,...,as,ACB% 

where B = lJ{RTC(ai) : i £ F(</?)}, and M O R is the substructure of M gener- 
ated by B. In turn, we remark that R C {0, . . . ,log(|M| — 1) — 1} U {oi, . . . , Os} 
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since each element of TC(ai) is a bit position of an element in {0, , \M\ — 1}. 
Moreover, a straightforward argument reveals that M fl i?' is an end-extension 
of M n i3, where B' = {0, . . . ,log(|M| — 1) — 1} U {oi, . . . , Os}. Hence, M |= 
. . . , Os, H] if and only if M fl H |= . . . , Os, H fl B^], and by absolute- 

ness, if and only if M fl |= ip[ai , . . . , Og, H fl B'^]. With these observations in 
hand, we claim that: 

Claim. If Q is definable in FO-|-LFP(Z\o) on C, then Q is definable by a formula 
of FO -I- LFP(Z\o) in which no relation symbol from a appears within the scope 
of a fixed-point operator. 

Proof: The main idea is that since every LFP(Z\o) formula will only depend on 
O(logn) bits of the input predicates by the remarks above (here is the crucial 
point where we use the fact that the vocabulary is unary), we can existentially 
quantify these bits outside the LFP(Z\o)-formula, and pass them to it as input 
variables. Formally, the argument is as follows. Assume for simplicity that a 
consists of a unique relation symbol R; the general case is as easy. Let be a 
formula defining Q on C. Replace each occurrence in 93 of a subformula of the 
form ■ . ■ , Xk) with 9 a Aq formula, by the formula 

(3u)((r £ u O R{r)) A (Vz G s){z G v -H- R{z)) A 

V ( /\ R{x,)A /\ A(LFP,,s,x'0“')(^^,ai))), 

U)G{0,1}'= v)i = l Wi=0 

where 0™ is the result of replacing each atomic formula of the form R{u), with 
u a bound variable, hy u G v, each atomic formula of the form R{xi) by Xi = Xi, 
if Wi = 1, each atomic formula of the form R{xj) by Xj yf Xj, if Wj = 0, and 
each atomic formula of the form X(u) by X'(y, u). Here, r and s are existentially 
quantified variables set to the largest power of two of the universe, and r — 1 
respectively (observe that the binary representations of r and s are dual words). 
Observe that if u is a witness for the first-order variable of this formula, then its 
binary representation is encoding the first log(n — 1) bits of R. By the remarks 
preceding the claim, it is straightforward to check using standard absoluteness 
arguments that the modified formula is defining Q on (7, as required. 

The rest of the proof that (iii) implies (i) is now almost identical to the 
proof of Theorem |3 Namely, access to the input predicates is only required 
when simulating the first-order part of the formula, and the simulation of the 
LFP(Z\o)-parts of the formula may be asked to an oracle set in P. □ 

Observe that the argument of Theorem 0does not go through for vocabularies 
of higher arities. In the case of digraphs, for example, the reason is that there 
are 0((log|M|)^) significant bits (instead of 0(log |M|)) in the substructure 
Mn {0, . . . , log(|M| — 1)} of any digraph M. Although we do not provide with an 
exact characterization of FO-f LFP(Aq) for vocabularies of higher arities, we are 
able to compare the expressive power of FO-l-LFP(Ao) with a familiar complexity 
class. Recall from the introduction that RUD„i/r = ATIME(0(n 0 ( 1 )) (see 
Corollary 5 in P|). 
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Theorem 4. Let a be a relational voeabulary of maximum arity r, and let C 
be the class of all finite structures over a with built-in membership relation. If 
P C RUD„i/., then FO + LFP(Zio) C FO on C. 

Proof sketch: Assume P C RUD„i/r, and let Q be a query on C definable in 
FO+LFP(Z\o). It is enough to show that Q is computable in LH on C. Even eas- 
ier, it is enough to show that each FO-|-LFP(Z\o)-formula can be evaluated in LH 
on the appropriate inputs. Let (p{xi, . . . ,Xk) be such a formula. Lemma El says 
that deciding whether M |= (p[a\, . . . ,afc] can be done in polylogarithmic-time 
in \M\. Moreover, the same absoluteness argument as in the proof of Theorem 0 
reveals that M |= . . . , o^] if and only if M fl 5' |= . . . , oj,], where 

S' = {0, . . . ,log(|M| — 1) — 1} U {tti, . . . ,afc}. Since only 0((log \M\Y) bits are 
relevant in M fl S', the same computation can can be carried over an unpadded 
input that only contains these bits. The computation time is now polynomial 
in the length of the (unpadded) input, and therefore, by hypothesis, the same 
language is decidable in ATIME(0(n^/’'), 0(1)) = RUD„i/r on the appropriate 
inputs. Since the length of these inputs is 0((log \M\Y), the alternating compu- 
tation can be carried over the original inputs in time 

0(((log|M|)’')i/’') = 0(log|M|), 

and still a constant number of alternations. That is, on the original inputs, the 
evaluation of (/? can be done in LH as required. □ 

As mentioned in the introduction. Theorem 0 sets the link to an impor- 
tant problem related to the uniformity of circuits for integer division. Beame, 
Cook, and Hoover 0 showed that the problem of dividing two numbers can 
be computed by P-uniform bounded fan-in, logarithmic-depth circuits (NC^). 
The result was improved by Reif m (see also HSl) who showed that the prob- 
lem could be computed by P-uniform unbounded fan-in, bounded-depth circuits 
with majority gates (TC'^). However, it is not known whether the uniformity 
condition of their algorithm can be relaxed to DLOGTIME-uniformity, as it is 
the case for the TC° circuits for addition, subtraction, and multiplication (see 
Barrington, Immerman and Straubing 0). 

On the other hand, it is known that majority gates of polylogarithmically- 
many bits may be simulated by DLOGTIME-uniform AC*^ circuits (see m 
for a similar construction). A circuit TLik{xi, ■ ■ ■ ,Xm) computing whether at 
least k of the input bits xi, . . . , Xm is recursively built as follows: 

S 

, Xm) ■ \J (^(j — : ^jm/s)-! 

ij <m/s 

where m = (logn)'^^^\ and s is suitably chosen so that the size of the circuit 
is polynomial in n, and the depth is a constant independent of n (the choice 
s = (logn)*^ works for sufficiently small e). It is not hard to see that these cir- 
cuits are DLOGTIME-uniform (a clever numbering of gates will tell all the 



The Descriptive Complexity of the Fixed-Points of Bounded Formulas 



185 



required information to the DLOGTIME algorithm that computes the direct 
connection language). The well-known power of AC° circuits to do arithmetic 
on numbers with polylogarithmically-many significant bits follows from Reif’s 
result, and the known algorithms for addition, subtraction and multiplication. 
However, while addition, subtraction and multiplication of polylogarithmically- 
long numbers admit DLOGTIME-uniform AC° such circuits, the known algo- 
rithms for division fall short since they only give DPOLYLOGTIME-uniform 
AG*^ circuits. We note that Theorem 0 implies that division of numbers with 
polylogarithmically-many significant bits is definable in FO + LFP(Z\q) on the 
class of finite words with built-in membership relation. We do not know, however, 
of a direct proof of this fact. 
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Abstract. Takeuti and Titani have introduced and investigated a logic 
they called intuitionistic fuzzy logic. This logic is characterized as the 
hrst-order Godel logic based on the truth value set [0, 1]. The logic is 
known to be axiomatizable, but no deduction system amenable to proof- 
theoretic, and hence, computational treatment, has been known. Such a 
system is presented here, based on previous work on hypersequent calculi 
for propositional Godel logics by Avron. It is shown that the system is 
sound and complete, and allows cut-elimination. A question by Takano 
regarding the eliminability of the Takeuti-Titani density rule is answered 
affirmatively. 



1 Introduction 

Intuitionistic fuzzy logic IF was originally defined by Takeuti and Titani to be 
the logic of the complete Heyting algebra [0, 1]. In standard many- valued termi- 
nology, IF is [0, l]-valued first-order Godel logic, with truth functions as defined 
below. The finite- valued propositional versions of this logic were introduced by 
Godel [B| , and have spawned a sizeable area of logical research subsumed under 
the title “intermediate logics” (intermediate between classical and intuitionistic 
logic). The infinite- valued propositional Godel logic was studied by Dummett 
0, who showed that it is axiomatized by LC, i.e., intuitionistic propositional 
logic plus the linearity axiom (A A i?) V (R D A). 

Takeuti and Titani m characterized IF by a calculus which extends the 
intuitionistic predicate calculus LJ by several axioms as well as the density rule 

T h A V (C D p) V (p D R) 

rh Av(CdR) 

This rule can be read as expressing the fact that the set of truth values is 
densely ordered. In this sense, the Takeuti-Titani axiomatization is the natural 
axiomatization of the [0, l]-valued Godel logic. The valid formulas of IF are 
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also characterized as those formulas valid in every first-order Godel logic based 
on a linearly ordered set of truth-values (this is obvious for all logics based on 
truth value sets C [0, 1], since a countermodel in such a truth- value set can be 
straightforwardly embedded in [0, 1]. The general claim was established by Horn 
U3)- In this characterization, the density rule is not a natural assumption, since 
not every linearly ordered truth-value set is densely ordered. It follows from 
this characterization that the density rule is redundant for the axiomatization 
of IF, and completeness proofs without it have been given by Horn m and 
Takano EHEI Takano posed the question of whether a syntactic elimination of 
the density rule is also possible. 

More recently, another axiomatizable first-order extension of LC has been 
studied by Corsi mu and Avellone et al. p. This extension is defined not via 
many-valued semantics but as the class of formulas valid in all linearly ordered 
intuitionistic Kripke models. It is different from IF; specifically, the formula 
(VV) below is not valid in it. IF can, however, also be characterized as the set 
of formulas valid in all linearly ordered Kripke models with constant domains 
(this was first observed by Gabbay [Z1 §3]). 

The interest of IF lies in the fact that it combines properties of logics for 
approximate reasoning with properties of intuitionistic logic. On the one hand, 
IF is one of the basic t-norm logics (see Hajek [SI), on the other, it is an extension 
of intuitionistic logic which corresponds to concurrency (as has been argued by 
Avron P). We present here a calculus for IF which is adequate for further proof- 
theoretic study. The basic result in this regard is the cut-elimination theorem 
for this calculus, from which a midhypersequent-theorem can be derived. This 
theorem, in turn, corresponds to Herbrand’s Theorem in classical logic, and as 
such is a possible basis for automated theorem proving in IF. 

The calculus also allows us to investigate the proof-theoretic effects of the 
Takeuti-Titani rule. We give a positive answer to Takano’s question, showing that 
the density rule can be eliminated from IF-proofs. A simple example illustrates 
the possible structural differences between proofs with and without the Takeuti- 
Titani rule. 

2 Syntax and Semantics of Intuitionistic Fuzzy Logic 

The language L of IF is a usual first-order language with propositional variables 
and where free (a, 6, ... ) and bound {x, y, . . .) variables are distinguished. 

Definition 1. An IF -interpretation 3 = {D, s) is given by the domain D and 
the valuation function s. Let be L extended by constants for each element of 
D. Then s maps atomic formulas in Frm(L^) into [0, 1], d G D to itself, n-ary 
function symbols to functions from Z?” to D, and free variables to elements of D. 

The valuation function s can be extended in the obvious way to a function 
on all terms. The valuation for formulas is defined as follows: 

^ Note that the corresponding axiom (Vp)((A D p) V (p D B)) D {A D B) is not 
redundant in quantified propositional [0, l]-valued Godel logic. See |H]. 
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1. A = P{ti, . . . An) is atomic: S(^) = s(P)(s(ti), . . . ,s(t„)). 

2. A = ^B: 

3(.i?) = (0 if 3(B) ^0 
L 1 otherwise. 

3. A = BAC: 3(B A C) = min(3(B), 3(C)). 

4. A = B\/C: 3(B V C) = max(3(A), 3(B)). 

5. A = BZ)C: 



3(B D C) 



3(C) if 3(B) > 3(C) 

_ 1 if 3(B) < 3(C). 



The set Distra(A(a:)) = {3(A((i)) : d G D} is called the distribution of A{x). The 
quantifiers are, as usual, defined by infimum and supremum of their distributions. 



(6) A = (Vx)B(x): 3(A) = inf Distrcj(B(a;)). 

(7) A = (Bx)B(x): 3(A) = supDistrcj(B(a;)). 

3 satisfies a formula A, 3 ^ A, if 3(A) = 1. A formula A is IF- valid if every 
IF-interpretation satisfies it. 



Note that, as in intuitionistic logic, -■A may be defined as A D T, where T 
is some formula that always takes the value 0. 



3 Hypersequents and IF 

Takeuti and Titani’s system IF is based on Gentzen’s sequent calculus LJ for 
intuitionistic logic with a number of extra axioms 



h (A D B) V ((A 3 B) D B) (Axl) 

{Ad B)d BG {Bd A) \/ B (Ax2) 

(AaB) D Ch (Ad C)V (B D C) (Ax3) 

(AD(BVC))h(ADB)V(ADC) (Ax4) 

(Va;)(A(a:) V B) h (Vx)A(a;) V B (VV) 

(Va:)A(a;) D C h (3a;)(A(a:) D D) V (D D C) (V d) 



(where x does not occur in B or D) and the following additional inference rule: 

B h A V (C D p) V (p D B) 

BhAV(CDB) 

where p is a propositional eigenvariable (i.e., it does not occur in the lower 
sequent). It is known that the extra inference rule is redundant. In fact, the 
system H of Horn m consisting of LJ plus the schemata 

(Va:) (A{x) V B) D (Vx) A(a:) V B (VV) 

(AdB)D{Bd A) (D) 

is complete for IF (see also ^H). Neither of these systems, however, has decent 
proof-theoretic properties such as cut elimination, nor is a syntactic method for 
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the elimination of the Takeuti-Titani rule {tt') known. Takano m has posed 
the question of a syntactic elimination procedure of the Takeuti-Titani rule as 
an open problem. 

We present a system which has the required properties, and which allows 
the syntactic elimination of the Takeuti-Titani rule. Our system is based on 
Avron’s 0 cut-free axiomatization of LC using a hypersequent calculus. 

Definition 2. A sequent is an expression of the form 

T h A 



where F and A are finite multisets of formulas, and A contains at most one 
formula. A hypersequent is a finite multiset of sequents, written as 



A h Ai I . . . I T„ h A„ 



The hypersequent calculus HIF has the following axioms and rules: 
Axioms: A\- A, for any formula A. 

Internal structural rules: 



G I Th A 



iw h 



G\A,Fh A 
External structural rules: 
G 



Logical rules: 



G I Th 
G I rh A 



h iw 



G 



G 


1 r h A 


G 


1 Th A 


G| 


^A,Th 


.,rhA G|B, 


G 1 AvB,Th . 


G| 


r\- A 


G 1 r 


\- A\/ B 


G\ 


Fh B 



V h 



h Vi 



h Vq 



G 



G I Th AVS 

A G\B,r2^ A 



G I A D B,ri,A b A 
G I A{t),Fh A 



Dh 



G I {yx)A{x),r\- A 
G\A{a),r\-A 
G I {3x)A{x),Fh- A 



Vh 



3 h 



G I A,A,r h A 
G I A, T h A 



ic h 



G I Th A I Th A 

~~1T\Ja~a 



G I A,Th 



h 



G I T h -.A 
G|ThA G|rhS 
G\FhAAB 
G I A,r h A 



h A 



G\AAB,Fh A 
G I B,r\- A 
G\AAB,Fh A 
G\ A, r\- B 
G\Fh Ad B 
G I T h A(a) 

G I r h (Vx)A(x) 
G I r h A(t) 

G I r h (3a:)A(x) 



A hi 



A \~2 



hD 



h V 



h 3 



G|ThA G|A,iTI-A 
G I A ^ h A 



cut 



Cut: 
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Communication: 

^ ^ — ; cm 

G|Gi,0^h “i|G'i,G2HH2 

Density: 

G\^hp\p,^h S 
S 

The rules (h V), (3 h), and (tt) are subject to eigenvariable conditions: the free 
variable a and the propositional variable p, respectively, must not occur in the 
lower hypersequent. We denote the calculus obtained from HIF by omitting the 
cut rule by HIF~, and that obtained by omitting (tt) by HIF*. 

The semantics of IF can easily be extended to hypersequents by mapping a 
hypersequent H 

A h Z\i I . . . I h 

to the formula H* 



i/\r,D\/ A,)v ...V i/\r^D\/ A„) 

where /\ A denotes the conjunction of the formulas in A or T if A is empty, 
and Y Ai the disjunction of the formulas in A^ or T if Ai is empty. Deriving a 
formula A in HIF then is equivalent to deriving the sequent h A: the translation 
of h A, i.e., T D zl is equivalent to A. 

Theorem 3 (Soundness). Every hypersequent H derivable in HIF is TF -valid. 

Proof. By induction on the length of the proof. It will suffice to show that the 
axioms are valid, and that the quantifier rules and (tt) preserve validity. 

The soundness of the quantifier rules is established by observing that corre- 
sponding quantifier shifting rules are intuitionistically valid. For instance, since 

(3x)(BV^(a;)) D (BV (3x)T(a;)) (V3) 

{3x){B D A{x)) dBd {3x)A{x) (d3) 

are intuitionistically valid, it is easily seen that h3 is a sound rule. The only 
problematic rules are (hV) and (3h). Suppose G | T h 2 l(a) is derivable in 
HIF. By induction hypothesis, G* V (/\T D ^(a)) is valid. Then certainly 
(Vx)(G* V (Ac D ^(x))) is IF-valid. Since a did not occur in G or P, we may 
now assume that x does not either. Since the quantifier shift (VV), i.e., 

(yx){B V A{x)) D (i? V (Va;)A(a;)), 

is valid in IF, we see that G* V (yx){f\E D A{x)) is valid. The result follows 
since 

{'dx){B A{x)) D B D {'dx)A{x) 

is intuitionistically valid, and hence IF-valid. 
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The communication rule is sound as well. Suppose the interpretation 9 sat- 
isfies the premises of (cm). The only case where the conclusion is not obviously 
also satisfied is if 9(6>() < Q(S’i) and 9(6*^ < 9(^2). If the left lower sequent 
is not satisfied, we have 9(S'i) < 9(02), and hence 9(0i) < 9(S'2), and thus 
the right lower sequent is satisfied. Similarly if the right lower sequent is not 
satisfied. 

For («) we may argue as follows: Suppose that the hypersequent 
H = G\ <Php\p,^hS 

is IF-valid. Let 9 be an interpretation, and let 9^ be just like 9 except that 
9(p) = r. Since p does not occur in the conclusion hypersequent 

H' = G\ <P,^h S 

we have 9(iL') = 9^(i?') and 9(G) = 9^(G). If 9 ^ G we are done. Otherwise, 
assume that 9 ^ H' , i.e., 

n = min{9(^), 9(>F)} > 9(i7) = r 2 

Let r = (ri -|-r2)/2. Now consider 9^: 9^. ^ G by assumption; 9^ ^ \~ p, since 

9r(<?) > r; and 9^ ^ p,'!' S, since 9i.(<F) > r > 9^(11). Hence, 9^ ^ H, a 
contradiction. □ 



Theorem 4 (Completeness). Every IF -valid hypersequent is derivable in 

HIF. 

Proof. Observe that a hypersequent H and its canonical translation h H* are 
interderivable using the cut rule and the following derivable hypersequents 

A\/ Bh A\ A\/ B\~ B ADB,AhB 
AaB\- A A\- AV B 



Thus it suffices to show that the characteristic axioms of IF are derivable; a 
simple induction on the length of proofs shows that proofs in intuitionistic pred- 
icate calculus together with the axioms (D) and (VV) can be simulated in HIF. 
The formula (D) is easily derivable using the communication rule. 



Ah- A BV^ B 
A^ B\BV- A 
h H D H I H h H 



cm 









fd 



F V 



F (H D H) V (H D H) I F H D H 
F (H D H) V (H D H) I F (H D H) V (H 3 H) 
F (H D H) V (H D H) 



F V 



ec 
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The formula (VV) can be obtained thus: 

A{a) h A{a) B \- B B \- B 

cm ew 

B h A{a) I A{a) \~ B B \- A{a) \ B \- B A{a) h A{a) 

V h cw 

B h A{a) I B V A{a) h B A{a) h A{a) \ B V A{a) h B 

B V A{a) h A{a) \ B V A{a) h B ^ 

{Mx){B V A{x)) h A{a) \ B V ^(a) h B 

{yx){B V A{x)) h A(a) I (Vx)(B V ^(a:)) h B ^ 

{yx){B V ^(x)) h (Vx)T(a;) | {\/x){B V ^(x)) h B ^ 

(Va;)(B V A(a;)) h B V (Va;)A(a;) ^ ^ 

The last line is obtained from the preceding by two (bV) inferences, followed by 
an external contraction. We indicate this with the double inference line. □ 



Of course, the other axioms of Takeuti’s and Titani’s system are also deriv- 
able. We will leave the propositional axioms 1-4 as an exercise to the reader, 
and give the derivation on of (V d) as another example: 



A{a) h A{a) Dh D 

cm 

A{a) 'r D\DV- A{a) 

h A{a) D H I B> h A{a) 

h (3a:)(A(x) D £>) I £> b A{a) ^ ^ C h C 

b (3a;)(^(a;) D D) \ D h (Va;)A(a;) ^ ^ b (3cc)(A(a:) D B>) | C b C 
b (3a;)(^(a;) D D) \ (Vx)A(a;) D C, b C 
b (3x)(zl(x) D D) I {'ix)A{x) D C b B» D C 
(Va;)^(a;) D C b (3x)(A(a;) DD)\/{DdC) ^ 



ew 

Db 



4 Cut Elimination and Midhyper sequent Theorem 

Theorem 5 (Cut Elimination). Any derivation of a hypersequent G in HIF 
can he transformed into a derivation of G in HIF~ . 

This theorem is proved in the usual way by induction on the number of appli- 
cations of the cut rule, using the following lemma. 

Lemma 6. Suppose the hypersequents 

Hi = G\rh A and H 2 = G \ n h A 

are cut-free derivable. Then 

H = G\ r,n* 'r A 

where U* is obtained from U by removing all occurrences of A, is cut-free prov- 
able, and the number of applications of (ec) in the resulting proof is not more 
than the sum of applications of (ec) in 7 and S. 
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Proof. Let 7 and 6 be the cut-free proofs of G and H, respectively. We may 
assume, renaming variables if necessary, that the eigenvariables in 7 and 6 are 
distinct. The proof follows Gentzen’s original Hauptsatz. Define the following 
measures on the pair (7, S): the rank r = len(7) -|-len((5), the degree d = deg(A), 
and the order o is the number of applications of the (ec) rule in 7, <5. We proceed 
by induction on the lexicographical order of {d, o, r). 

If either Hi or H2 is an axiom, then H can be derived from Hi or H2, 
respectively, using only weakenings. (This includes the case where r = 2). 

Otherwise, we distinguish cases according to the last inferences in 7 and <5. 
The induction hypothesis is that the claim of the lemma is true whenever the 
degree is < d or is = c? and either the order < o, or the order = o and the rank 
< r. 

(1) 7 or d ends in an inference which acts on a sequent in G. We may invoke 
the induction hypothesis on the premises of Hi or H2, and H2 or G2, respectively. 

(2) 7 or d ends in (ec). For instance, 7 ends in 

: 7' 

G\r\- A\r\- A 



Apply the induction hypothesis to 7' and 6. The resulting proof 7" of 

G\Ph A\r,H*h A 

has one less (ec) than 7 (although it may be much longer), and so the induction 
hypothesis applies again to 7" and 6. 

(3) 7 or d end in another structural inference, (tt), or (cm): These cases are 
unproblematic applications of the induction hypothesis to the premises, followed 
by applications of structural inferences. 

For example, assume 7 ends in (cm), i.e., 

: 7i : 72 

G\0i,0'ihSi G\02 ,'o'2^A 

cm 

G\0i, 0'2^ Si\0'i,02^ A 

where T = 0[, 02. Apply the deduction hypothesis to the right premise and H2 
to obtain a cut-free proof of 



G\02,02,n*^ A 

Using applications of (ew) and (cm), we obtain the desired result. 

The case of (tt) may be of special interest. Suppose 7 ends in(tt), with 

G \ d>'r p\p,'P \- A 
G\<P,W^ A 
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Apply the induction hypothesis to the premises of Hi and H2, and apply (tt) to 
obtain the desired proof: 

G \ p\p,W,n* ^ A __ 

G I If , 77* h A 

The case of <5 ending in (tt) is handled similarly. 

(4) 7 ends in a logical inference not involving the cut formula, or 6 ends in 
a logical inference not involving the cut formula. These cases are easily handled 
by appeal to the induction hypothesis and application of appropriate logical and 
structural inferences. We outline the case where 7 ends in (Db): 



: 7i ■ I2 

G I G,rh A G I T h B 
G I B D G, T h A 

We apply the induction hypothesis to the left premise and H2, and apply (dF): 

G I G, r, 77* h A G I r h B 
G I B D G, 7", 77* h A 

(5) Both 7 and 5 end in logical inferences acting on a cut formula. For 
instance, if A = 77 D G we have 

: 7i 

G I B,rh G 

G|TFBdG 

First we find proofs and 62 of 
G I 7", 77i* h B 



: (5i '.52 

G I 77i h B G I G, 772 F A 
G I 5 D G,77 i,772 F A 



df 



and G I G, T, 77| F A 



either by applying the induction hypothesis to 7 and <5i or ^2 if 77i or II2, 
respectively, contain 77 D G, or otherwise by adding (zc)-inferences to i5i and 
62- Now apply the induction hypothesis based on the reduced degree of the cut 
formulas twice: first to <5^^ and 71 to obtain G | 7^, 7^, 77 F G, and then to the 
resulting proof and 62 to obtain 

G|T,r,T,77i*,77*FA. 

The desired result follows by several applications of (zc). 

The other cases are similar and are left to the reader. □ 



Cut elimination is a basic prerequisite for proof theoretic and computational 
treatments of a logic. As an immediate consequence of cut elimination we have 
the subformula property: every IF-valid formula has a proof which only contains 
subformulas of the endformula (plus possibly propositional variables used in {tt)). 
Another important corollary is the midhypersequent theorem. It corresponds to 
Herbrand’s Theorem for classical logic and is thus the basis for any resolution- 
style automated proof method. 
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Theorem 7. Any hypersequent H with only prefix formulas has a proof where 
no propositional inference follows a quantifier inference. Such a proof contains 
one or more hypersequents M , called midhypersequents, so that M contains no 
quantifiers, all the inferences above M are propositional or structural, and all 
the inferences below M are either quantifier inferences of structural inferences. 

Proof. This is proved exactly as for the classical and intuitionistic case (see 
Takeuti IE!)- First, observe that all axioms are cut-free derivable from atomic 
axioms. The cut-elimination theorem thus provides us with a cut-free proof tt 
of H from atomic axioms. Next, observe that the (V h) rule can be simulated 
without using cuts by the rule 

G\A,PhAi G\B,PhA2 

G\AvB,PhAi\AvB,rhA2 ^ 

The rule can be derived as follows (we omit side sequents): 

A, r\-Ai B,PhA 2 

cm 

B, r^ Ai\ A,rv- A2 

' Ay B,P'^ Ai \ A,P'^ A2 ^ ^ B, T h Zia , , , 

Ay B,P'^ Ai \ Ay B,P'^ A2 ^ 

Of course, (V h') together with (ec) simulates (V h). We replace all applications 
of (V h) by applications of (V h') in our cut-free proof. 

Define the order of a quantifier inference in tt to be the number of propo- 
sitional inferences under it, and the order of tt as the sum of the orders of its 
quantifier inferences. The proof is by induction on the order of tt. The only in- 
teresting case is of (V h') occurring below a quantifier inference, since this case 
does not work for intuitionistic logic. 

Suppose 7T contains a (h V) inference above a (V h') inference, and so that 
all the inferences in between are structural. We have the following situation: 



G\A,r^ A 



\ S' 

G' I r V A{a) 

G' \r'\- {yx)A{x) 
S 

G I B,rh{yx)A{x) 



h V 



G\AyB,rhA\AyB,r\- {yx)A{x) 



V h' 



where <5 contains only structural inferences. We reduce the order of tt by replacing 
this part of tt by: 

! S' 

G' I r V A{a) 

: : ^ 

G\a',P'^A G\B,r'^A{a) 

G\ Ay B,B'r- A \ Ay B,B'^ A{a) ^ 
G\AyB,r\~A\AyB,rh {yx)A{x) 



□ 
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5 Elimination of the Takeuti-Titani Rule 

The Takeuti-Titani rule is the least understood feature of the original Takeuti- 
Titani axiomatization of IF. We show below that the rule can be eliminated from 
proofs in HIF. This had been posed as a problem by Takano m- The proof is 
by induction on the number of applications of (tt) and the length of the proof. 
The exact complexity of the elimination procedure is still to be investigated. The 
(tt) rule can have significant effects on proof structure. For instance, one of the 
calculi in Avron 0 uses the split rule 

G\r,r'h A 

G I T h Z\ I T' h A 

If this rule is added to HIF, it is possible to transform proofs so that each 
application of the communication rule has a premise which is a propositional 
axiom. This is not possible without (tt). The transformation works by replacing 
each occurrence of the communication rule by 

Gi|ri,nhAi 

php GilAhAil A'hAi G2\r2,n^A2 

(yfYl , SDli'f, 

qhq Gi I A h Ai h A' h p I p h Ai ^ Ga I A b A2 I A h Az 9 ^ „ 

Gi I A b Ai I A h ? I p h Ai I p h p ' '^b7\r2 b p I g b Aa' j A b Aa 

cut 

Gi I Ga I A b Ai I A b g I p b Ai I A b p I g b Aa I A b Aa 

Gi I Ga I A b Ai I A b Aa I p b Ai I A b p I A b Aa “ 

Gi I Ga I A b Ai I A b Aa I A b Ai I A b Aa “ 

Gi|Ga| A.A'bAil A,AbAa 



Proposition 8. Let S be a UIF* -derivation of hypers equent H with length k, 
where H is of the form 

G| A,ITibZ\i,7T; I ... |r„,7T„bZ\„,A; 

and [jlli C {p}, 7T' = 0, and p does not oeeur in G, A or Ai (IJ A' = {p}, 
Ili = 0, and p does not oeeur in G, A or Ai). 

Then the hypersequent G \ Ai b | | Am b is derivable in length 

< k. 

Proof. Easy induction on k. Every occurrence of p must arise from a weakening, 
simply delete all these weakenings. 



Theorem 9. Applieations of (tt) ean be eliminated from UIF -derivations. 

This follows from the following lemma by induction on the number of applica- 
tions of (tt) in a given HIF “-derivation. 
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Lemma 10. If 6 is an HIF* -derivation of 

= G I <?i h 7Ti I . . h 7T„ I h Ti I . . . I h 

where p does not occur in G, I>i, I'i or Si, and !![ C {p}, then there 

is a HTF* -derivation of 

Proof. By induction on the length of <5. We distinguish cases according to the 
last inference / in S. For simplicity, we will write p in what follows below instead 
of Ili or 7T' with the understanding that it denotes an arbitrary multiset of p’s. 

(1) The conclusion of of I is so that p only occurs on the right side of sequents, 
or only on the left side. Then Prop, ^applies, and the desired hypersequent can 
be derived without (tt). 

(2) I applies to sequents in G. Then the induction hypothesis can be applied 
to the premise(s) of I and appropriate inferences added below. 

(3) I is structural inference other than (cut) and (cm), or a logical inference 
with only one premise, or a logical inference which applies to a 27^. These cases are 
likewise handled in an obvious manner and are unproblematic. One instructive 
example might be the case of (dF). Here the premises would be of the form, say, 

G \ ^1 \- p \ ^2 P ■ ■ ■ \ P \ P,^l Si \ . . . \ p,I'm Sm \ P, Pi A 

G I h p I ^2 F p . . . I h p I p, iFi h Ti I . . . I p, h I H, 02 F p 
Let = (Pi, . . . The induction hypothesis provides us with 



G I F I . . . I F I <?>, A F H 

G\B,P2,$,i'ih Si I ... |H,r2,A'fmFr^ 

We obtain the desired hypersequent by applying (dF) successively m times, 
together with some contractions. 

(4) J is a cut. There are several cases to consider, most of which are routine. 
The only tricky case is when the cut formula is p and p occurs both on the left 
and the right side of sequents in both premises of the cut. For simplicity, let us 
consider the cut rule in its multiplicate formulation 



G I F p I . . . I F p I p, A F A I ■ • • I P, F 17™ I T F p 

G I F p I . . . I F p I p, A F i7i I . . . I p, iFm F i7„ I p, 77 F H 

We want to find a derivation of 

G I A '?'i F i7i I A F 27„, I r, 77 F H 

where I> — I>i, . . . , <Pn- The induction hypothesis applied to the premises of the 
cut gives us 

G\r,^,i'i^ Si\...\r,^,i'.^^ Sm 
G\<P,Wi^Si I ... ia^fh 
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We obtain the desired hypersequent by m successive applications of (cm). 

(5) / is (V h), or (3 h) applying to <l>i or Consider the case of (V h), the 
others are treated similarly. The premises of I are, for example, 



G I A, h p I ^2 b p . . . I h p I p, tf-i h i7i I . . . I p, h 

G \ p \ $2^- P - ■ ■ p \ \ ■ ■ ■ \ Sm 



By induction hypothesis, we obtain 

G I h £■! I . .. I h 

G I h Ti I ... I h Sm 

It is not straightforwardly possible to derive the desired hypersequent from these. 
If tf'i = {Pii , . . . , Piki}, let Qi = Pii D . . . Piki Si- Then we do easily obtain, 
however, the following by repeated application of (bD), (b V) and (ec): 



G I A,<?i,... h Qi V ... VQ^ 

G I B, . . . , ^„ b Qi V . . . V Qm 

Now a single application of (V b), plus (ec) gives us 

K = G I ^ V B, <?i, . . . , <!>„ h Qi V . . . V 
r 

Then we derive, using to — 1 cuts: 

; <5i 

K (5i V Q b Qi I Qi V Q b Q 
T b Qi I r h Q 2 V . . . V Qm 
Q 

■ ^m—1 

rhQi\... I rh Q^_i vQ 

m Qm — 1 V Q 

m bQ 

m— 1 I Qm—1 VQ 

m b Q 

m 

r b Qi I . . . I T h Qm 

where 6i is the derivation 

Q\- Q Qi\- Qi 

; cm 

Q ^ Qi \ Qi ^ Q QbQ 
Qi^ Qi Q \- Qi \ QiV Q \- Q ^ 

Q* V Qi+i V . . . V Q„, b Qi I Q, V . . . V Q™ b Q,+i \J ...\JQm ^ 

Q Q 

The desired hypersequent is obtained by to cuts with 



Qi, Pii, . . . , Piki b Bi 
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(6) / is a communication rule. This is the most involved case, as several 
subcases have to be distinguished according to which of the two communicated 
sequents contains p. Neither of these cases are problematic. We present two 
examples: 

(a) One of the communicated sequents contains p on the right. Then the 
premises of I are 



G \ (l>i \~ p \ . . . \ <I>n \- p \ p,'I^l \~ Si \ . . . \ P,'Prn ^ Sm \Oi,0['^ p 

G I h p I . . . I h p I p, If'i h ifi I . . . I p, b Sm I G>2,0'2 h S 2 



where. The induction hypothesis applies to these two hypersequents. If we write 
^ = ^ 1 , . . . , we have 



G 

G 



01, 0i, If, If: 


lb Ai 


02,0^bS 


1 ^,'fi 



<P, If™ h S„ 



We obtain the desired result by applying m instances of (cm), internal weaken- 
ings and external contractions as necessary, to obtain, in sequence 



G\Oi,0'2,^,^i^ Si I ... 



G\Oi,0'2,^,^lh Si \ ...\0i,0'2,^,^m^ S^\0[,02h S 



The sequents participating in the application of (cm) are marked by boxes. The 
original end hypersequent follows from the last one by internal weakenings. 

(b) The communicated sequents both contain p, once on the right, once on 
the left. The premises of / are 



G I 1 h p I . . . I „ h p I p, ifi h T"! I . . . I p, S'™ h Ujn I 01 , 0'i b p 
G I 1 b p I . . . I „ b p I p, Ifi b ill I . . . I p. If™ b Sm I p, 02 , 02 b S' 



We have proofs of 



G|0i,0i,<f,ifibSi I ... |0i,0'i,<f,if™bS™ 
G|if,ifibSi I ... |<f,if™br™ |02,0^,|fbS 



Again, a sequence of m applications of (cm), together with internal weakenings 
and external contractions produces the desired end sequent. □ 

Note that in case (5), several new cuts are introduced. As a consequence, the 
elimination procedure does not directly work for cut-free proofs. If a proof with 
neither cut nor communication is required, the elimination procedure has to be 
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combined with the cut-elimination procedure of Thm. 0 The additional cuts can 
be avoided by replacing (V h) and (3 h) by the following generalized rules: 



G\A,rihAi\...\A,rnhAr^ G|g,rihZ\i|...|g,T„hZ\„ 
G\A\/B,rihAi\...\A\/B,r„\-A„ 

G| A(a),AhZ\i I ... I A(a),r„hZ\„ 

G I (3x)A(a:), A h Z\i I . . . I (3x)A(a;), A h Z\„ ^ ^ 

These rules, however, cannot be simulated by the ordinary rules without using 
cut (the simulation with cut is given in case (5)). By changing case (5) accord- 
ingly, the elimination procedure will transform a cut-free HIF-derivation into a 
cut-free one without (tt), but with (V h*) and (3 h*). 
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Abstract. We show that dependent sums and dependent products of 
continuous parametrizations on domains with dense, codense, and nat- 
ural totalities agree with dependent sums and dependent products in 
equilogical spaces, and thus also in the realizability topos RT(Pw). 

Keywords: continuous functionals, dependent type theory, domain the- 
ory, equilogical spaces. 



1 Introduction 

Recently there has been a lot of interest in understanding notions of totality for 
domains There are several reasons for this. Totality is the seman- 

tic analogue of termination, and one is naturally interested in understanding not 
only termination properties of programs but also how notions of program equiv- 
alence depend on assumptions regarding termination El- Another reason for 
studying totality on domains is to obtain generalizations of the finite-type hier- 
archy of total continuous functionals by Kleene and Kreisel El, see jH| and m 
for good accounts of this subject. Ershov [7] showed how the Kleene-Kreisel 
functionals arise in a domain-theoretic setting as the total elements of domains 
of partial continuous functionals. This work has been pursued further by Nor- 
mann, Berger and others, who have studied both inductive types and dependent 
types with universe operators The aims of their work include 

both finding models of Martin-L6f type theory PSEEI and also extending the 
density theorems to transfinite hierarchies. The density theorems are used in the 
study of higher-type recursion theory and in order-theoretic characterizations of 
extensionality for total objects m 

It is important to understand how different models of computation relate. In- 
deed, a number of results demonstrate that the Kleene-Kreisel functionals arise 
in various computational models which is good evidence that this 

class of functionals is an important and robust model of higher-type computa- 
tion. We proved one such result in 0, where we related domains with totality 
to equilogical spaces, introduced by Dana Scott the so-called dense and co- 
dense totalities on domains |3| embed fully and faithfully into the category of 
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equilogical spaces and the embedding preserves the cartesian-closed structure 
implicit in the totalities for products and function spaces. From this it follows 
easily that the Kleene-Kreisel functionals of finite type can be constructed in 
the category Equ of equilogical spaces by repeated exponentiation, starting from 
the natural numbers object. In this paper we extend these results to dependent 
types. 

We build on Berger’s Habilitationsschrift in which Berger generalized 
density and codensity on domains from simple types to dependent types with 
universe operators and proved the corresponding Density Theorems. We show 
that, in a precise sense, the dependent types of dense, codense, and natural 
totalities on consistent parametrizations coincide with the dependent types of 
equilogical spaces. It follows that the dependent type hierarchies over the natural 
numbers and the booleans coincide in four settings: equilogical spaces, domains 
with totality, limit spaces j2Dj) and filter spaces [22EI. We also note recent work 
by Menni and Simpson H3. which relate locally cartesian closed subcategories 
of equilogical spaces, sequential spaces, and limit spaces. All these results taken 
together provide a satisfactory “goodness of fit” picture, at the level of dependent 
type structures. 

More precisely, domains here are algebraic, countably based, consistently- 
complete dcpos. Since the domains are countably based, we only need to consider 
countably based equilogical spaces, which form a full locally cartesian closed sub- 
category of the category of all equilogical spaces. The category of countably based 
equilogical spaces is equivalent to the category of modest sets Mod(Po;) over the 
graph model Vuj of the untyped A-calculus, and since the modest sets form a full 
locally cartesian closed subcategory of the realizability topos RT(Pw) over the 
graph model, it follows that the domain-theoretic total continuous functionals 
of dependent types are the same as the ones in the realizability topos RT(Po;). 

The plan of the paper is as follows. In the following section we present an 
overview of the technical work, and explain the main idea of the proof of our 
main theorem. Theorem ^ In Sect. 0 we recall the definition of the category 
of equilogical spaces and the construction of dependent sums and products of 
equilogical spaces. In Sect. 0]we briefly review domains with totality, and refer 
you to PI for more details. Sect. El contains the Main Theorem and its proof, 
which relates dependent types in Equ to dependent types in domains with total- 
ity. As an example of how the Main Theorem can be used, we translate Berger’s 
Continuous Choice Principle for dependent totalities Pj into a choice principle 
expressed in the internal logic of Equ. Finally, Sect. Q contains some concluding 
remarks and suggestions for future work. 
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2 Overview of Technical Work 

In this section we give a brief overview of the rather technical theorems and 
proofs from Sect . El We do not provide any proofs or references for the claims 
made in this overview, because they are repeated in more detail in the rest of 
the paper. Please consult Sects. ElandElfor basic definitions and explanation of 
the notation. Berger m contains material on totalities for parametrizations on 
domains, and |2] can serve as a reference on equilogical spaces. 

The category of countably based equilogical spaces, as defined originally 
by Dana Scott, is equivalent to PER(wALat), the category of partial equiva- 
lence relations on countably based algebraic lattices. We work exclusively with 
PER(wALat) and so we set Equ = PER(wALat). 

If M C D is a codense subset of a domain D, then the consistency relation f 
(which relates two elements when they are bounded) restricted to M is a partial 
equivalence relation on D. Thus, a codense subset of a domain D can be viewed 
as a partial equivalence relation, induced by the consistency relation on M, on 
the algebraic lattice , the domain D with a compact top element T added to 
it. 

Let F = (|F|,||F||) be a dense, codense and consistent totality on D — 
(|D|, ||D||), i.e., (|F|, |D|) is a consistent parametrization on the domain \D\, 
||D|| C \D\ is a dense and codense totality on |D|, and (||D||, ||F||) is a dense and 
codense dependent totality for \F\. We can explain the main point of the proof 
that the dependent types in domains with totality agree with dependent types 
in equilogical spaces by looking at how the dependent products are constructed 
in both setting. In the domain-theoretic setting a total element of the dependent 
product P — n{D,F) is a continuous map / = (/i,/2): \D\ — >• \E{D,F)\ that 
maps total elements to total elements and satisfies, for all x G ||D||, fix = x. In 
PER(wALat) a total element of the dependent product Q — T" is a continuous 
map g = (31,32): \D\^ — >■ \S{D,F)\^ that preserves the partial equivalence 
relations and satisfies, for all x G ||D||, 31 x fn x. Here ti> is the consistency 
relation on domain \D\, restricted to the totality ||D||. In order to prove that P 
and Q are isomorphic we need to be able to translate an element / G ||P|| to 
one in ||Q||, and vice versa. It is easy enough to translate f G ||P|| since we can 
just use / itself again. This is so because fiX = x implies fiX fn x. However, 
given a g G ||Q||, it is not obvious how to get a corresponding function in ||P||. 
We need a way of continuously transporting ‘level’ ||F(3ix)|| to ‘level’ HT’xH. In 
other words, we need a continuous map t such that whenever x,y G ||D||, x f y, 
and u G ||T’3|| then t{y, x)u G HT’xH and (x, t{y, x)u) f (3, u) in \S{D, f)|. Given 
such a map t, the element of ||P|| corresponding to 3 € ||Q|| is the map 

X i-t {x,t{gix,x){g2x)). 

The theory of totality for parametrizations on domains provides exactly what 
we need. Every consistent parametrization F has a transporter t, which has the 
desired properties. In addition, we must also require that the parametrization F 
be natural, which guarantees that t{y,x) maps HP3II to ||Px|| whenever x and y 
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are total and consistent. Berger 0 used the naturality conditions for depen- 
dent totalities to show that the consistency relation coincides with extensional 
equality. As equality of functions in equilogical spaces is defined extensionally, it 
is not surprising that naturality is needed in order to show the correspondence 
between the equilogical and domain-theoretic settings. 

Finally, let us comment on the significance of the density and codensity the- 
orems 0 for the results presented in this paper. We define a translation from 
dependent totalities to equilogical spaces, and show that it preserves dependent 
sums and products. The density theorems for dependent totalities ensure that 
the translation is well defined in the first place. Thus, density plays a funda- 
mental role, which is further supported by the observation that the category of 
equilogical spaces is equivalent to the category of dense partial equivalence rela- 
tions on Scott domains, see |2| • The effect of codensity is that the translation of 
domain-theoretic totalities into equilogical spaces gives a rather special kind of 
totally disconnected equilogical spaces, which we comment on further in Sect. Cl 



3 Equilogical Spaces 

In this paper, we take an equilogical space A = (|A|,Ri^) to be a partial equiva- 
lence relation on an algebraic lattice |A|. The category PER(wALat) of such 
objects and equivalence classes of equivalence preserving continuous maps be- 
tween them is equivalent to the original definition of equilogical spaces | 2 |. 

The support of an equilogical space A is the set 

||A|| = {x e \A\ \ X x} . 

We explicitly describe the locally cartesian closed structure of PER(wALat). 

Let r: J — >■ / be a morphism in PER(cijALat). The pullback along r* is the 
functor 



r*: PER(wALat)//^ PER(wALat)/J 

that maps an object a: A ^ I over I to an object r*a: r* A — >■ J over J, as in 
the pullback diagram 



r*A ^ A 




The pullback functor r* has left and right adjoints. The left adjoint is the de- 
pendent sum along r 



X;,.: PER(wALat)/J^ PER(wALat)// 
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that maps an object b: B ^ J over J to the the object b = rob: B ^ I over 
I. The right adjoint to the pullback functor r* is the dependent product along r 



n^: PER(wALat)/J^ PER(u;ALat)//, 

defined as follows. Let 6: B — >■ J be an object in the slice over J. Let ~ be a 
partial equivalence relation on the algebraic lattice |/| x (|J| — ?> |i?|) defined by 

(*',/') 

if and only if 

i i A^jj' G I J| . {j Rij / A r{j) mi i f{j) me /'(/) A 6(/(j)) j) 
The dependent product Hr ^ object (irir^lj~)> where 

in,&i = i/|x(iJi^iBi) . (1) 

The map Or ^ t / is the obvious projection (*,/) i-t i. See 0 for more 
details about the locally cartesian closed structure of PER(o;ALat). 

For background material on domain theory we suggest [21 or p. A Scott 
domain is a countably based, algebraic, consistently-complete dcpo. Let wDom 
be the category of Scott domains and continuous maps between them. This 
category is cartesian closed and contains the category wALat as a full cartesian 
closed subcategory. We define the ‘top’ functor : wDom — >■ wALat by setting 
to be the domain D with a new compact top element added to it. Given a 
map / : Z? — >■ A, let /^ : ^ be defined by 






fx if Xi^Td 
Te if X = Td- 



It is is easily checked that is a continuous map. We are going to use the 
following two lemmas and corollary later on. The easy proofs are omitted. 

Lemma 1. Let C, D, and E be Scott domains and f:C^ {D — > E^) a 
continuous map. Then the map f : C ^ — >■ E) defined by 



fxy 



fxy ifyf^To 
T B if y = To 



is also continuous. 



Corollary 1. Let D, and E be Scott domains and f:D^ E^ a continuous 
map. Then the map f : — >■ E defined by 




is also continuous. 



fy if y^~^D 
T £ if y = To 
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Lemma 2. Suppose D and E are Seott domains, S C D is an open subset, and 
f: D\S — >■ is a continuous map from the Scott domain D\S to the algebraic 

lattice E^ . Then the map f : D ^ E^ defined by 



f'x 



fx if X ^ S 

~T E if X G S 



is also continuous. 



4 Domains and Totality 

We review some basic definitions about domains with totality from Berger pm. 
Let be the fiat domain on the Booleans B = {false, true}. Given a domain D 
and a subset M C D, let £e{M) be the family 

£e{M) = {p: D — B_l \ 'i xGM .px ^ . 

In words, £d{M) is the set of those continuous predicates on D which only take 
on values true and false on elements of M. The family £e{M) is separating when 
for every unbounded finite set |a;o, • ■ ■ , Xn} C D, there exist po , ... ,Pn G £d{M) 
such that piXi = true for f = 0, . . . , n and pQ(true) iT • • • fl p* (true) = 0. 

A totality on a domain is a pair D = (|L1|, ||L?||) where \D\ is a domain and 
||D|| is a subset of \D\. Often the set ||D|| itself is called a totality as well. A 
totality is dense when ||Z3|| is a topologically dense subset of \D\. A totality 
is codense when the family f|£)|(||L?||) is separating. The consistency relation f 
restricted to a codense totality ||I?|| is symmetric and transitive. 

To each dense and codense totality D we assign an equilogical space 

Q>D^{\D\^Ad) (2) 

where tu is the consistency relation restricted to the totality ||D||, i.e., x fo U 
if, and only ii, x,y G \\D\\ A x f y. We consider only dense and codense totalities 
from now on. 

A parametrization on a domain \D\ is a co-continuous functor F \ \D\ -A 
wDom®P from \D\, viewed as a category, to the category wDom®^ of Scott domains 
and good embeddings. Recall from Pj that an embedding-projection pair is good 
when the projection preserves arbitrary suprema. Whenever x,y G \D\, x < y, 
there is an embedding F(x < y)~^ : Fx -A Fy and a projection F(x < y)~ : Fy -A 
Fx. We abbreviate these as follows, for u G Fx and v G Fy: 

y[y] _ < p) + (u) , 

V[x] = F{x < y)~{v) . 

A parametrization F on \D\ is consistent when it has a transporter. A transporter 
is a continuous map t such that for every x,y G \D\, t{x, y) is a map from Fx to 
Fy, satisfying: 



208 



A. Bauer and L. Birkedal 



(1) if a: < y then F(x < y)+ < t{x,y) and F{x < y) < t{y,x), 

(2) t{x, y) is strict, 

(3) t{y,z) ot{x,y) < t{x,z). 

Let D he a, totality. A dependent totality on D is a pair F = (|F|,||F||) 
where |J^|: \D\ — ?> wDom®^ is a parametrization and (||Z?||, ||F||) is a totality 
for the parametrization {\D\, |F|). Just like for totalities on domains, there are 
notions of dense and codense dependent totalities. See Berger ^ for definitions 
of these and also for definitions of dependent sum E{D, F) and dependent product 
n{D, F). From now on we only consider dense and codense dependent totalities 
on consistent parametrizations. 

A dependent totality F on U is natural if ||iJ|| is upward closed in \D\, ||Fa;|| 
is upward closed in |Fa;| for all x S ||F||, and whenever x < y G ||ZJ|| then 

yvG\Fy\.{v G \\Fy\\ G ||Fa;|l) . 

Note that the above condition implies 

Vu G |Fcc| . G ||Fa:|| G \\Fy\\J . 



Lemma 3. Let F he a natural dependent totality on D. Since F is consistent, it 
has a transporter t. Let x,y G ||F||, x ^ y, and u G ||Fy|| . Then t{y, x)u G ||Fa;|| 
and (y,u) f {x,t{y,x)u) in \E{D,F)\. 

Proof. By naturality of F we have G ||Fa:||, and since 

< t{xy y,x){t{y,xy y)u) < t{y,x)u 

also t{y,x)u G ||Fx||. Furthermore, (y, it) f (x,t{y,x)u) in \S{D,F)\ because 
X f y and f (t{y, x)u)^^'^'^\ which follows from the common upper bound 

(t(y, < {t{x, X V y) o t{y, x))u < t{y, x V y)u . 

This completes the proof. 

Let F be a dependent totality on D and let Ghe a dependent totality on 
S{D, F). Define a parametrized dependent totality G, i.e., a co-continuous func- 
tor from D to the category of parametrizations a, by 

Gx = All G Fx . G(x, u) . 

More precisely, for each x G D, Gx is a dependent totality on Fx, defined by 
the curried form of G as above. In 0, which provides more details, G is called 
the large currying of G. Given such a G, there are parametrized versions of 
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dependent sum S{F,G) and dependent product 7T(f, G), which are dependent 
totalities on D, defined for x G D by 

n{F,G)x = n{Fx,Gx) , 

S{F,G)x = S{Fx,Gx) . 

To each natural dependent totality F on D we assign an equilogical space 
q(D,F): q{D,F)^QD 
in the slice over QD by defining 

q{D,F) = qiu{D,F)) 

<i{D,F) = ttJ , 

where tti is the first projection tti : \F{D,F)\ — >• \D\, tti : (x,u) i-i- x. 

5 Comparison of Dependent Types 

We show that dependent sums and products on totalities coincide with those on 
equilogical spaces. 

Theorem 1 (Main Theorem). Let F be a dependent totality on D, and let G 
be a dependent totality on S{D,F). The eonstruetion of dependent sum E(F,G) 
and dependent product II(F,G) agrees with the construction of dependent sum 
and dependent product in PER(u;ALat), i.e., 

Q(A^(CG))-Eq(AF)q(^(AJ^),G) , 

q{D, n{F, G)) - riq(D,F) f),g) 

in the slice over qO. 

The rest of this section constitutes a proof of the Main Theorem, but be- 
fore we embark on it, let us explain its significance. We have defined a trans- 
lation Q from domain-theoretic dependent totalities to equilogical spaces. The 
Main Theorem says that this translation commutes with the construction of 
dependent sums and products. Thus, Q preserves the implicit local cartesian 
closed structure of totalities S{F,G) and U{F,G). It may seem odd that we 
did not define a functor Q that would embed the dependent totalities into 
PER(wALat) and preserve the locally cartesian closed structure. This can be 
done easily enough, by defining the morphisms (D,F) — (E,G) to be (equiv- 
alence classes of) equivalence-preserving continuous maps q{D,F) — >• Q(£', G), 
i.e., essentially as the morphisms in PER(wALat). Note that this is different from 
the definition of morphisms between parametrizations, as defined in Berger 
where the motivation was to build the hierarchies in the first place, rather than to 
study an interpretation of dependent type theory. Thus, a notion of morphism 
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suitable for the interpretation of dependent type theory was never explicitly 
given, although it is fairly obvious what it should be. In this manner we triv- 
ially obtain a full and faithful functor Q. The crux of the matter is that with 
such a choice of morphisms, the domain-theoretic constructions S{F, G) and 
n{F,G) indeed yield the category-theoretic dependent sums and products. This 
is the main purpose of our work — to show that the domain theoretic construc- 
tions of dependent functionals, which has at times been judged arcane and ad 
hoc, is essentially the same as the dependent functionals arising in the realiz- 
ability topos RT(Pw), which is much smoother and better understood from the 
category-theoretic point of view. The benefits of this correspondence go both 
ways. On the one hand, the domain-theoretic construction, which was conceived 
through a sharp conceptual analysis of the underlying domain-theoretic notions, 
is more easily understood and accepted by a category theorist. On the other 
hand, we can transfer the domain-theoretic results about the dependent func- 
tionals to Equ and RT(Pw), e.g., the Continuous Choice Principle from Sect El 
It is not clear how to obtain the Continuous Choice Principle directly in the 
realizability setting. 

Lastly, we note that the Main Theorem is formulated for dependent sums and 
products with 'parameters, i.e., for parametrizations of parametrizations on do- 
mains; a parameter-free formulation states only that Q{U{D, F)) = q{D, F). 
We need the theorem with parameters in order to establish the full correspon- 
dence between the Iccc structures. We now proceed with the proof of the Main 
Theorem. 

Dependent Sums. Dependent sums are easily dealt with because all we have to do 
is unravel all the definitions. For this purpose, let X = Q{D, X{F, G)) and Y = 
q(if(D, F), G). In order to simplify the presentation we assume that 
ordered pairs and tuples satisfy the identities {x,y,z) = {{x,y),z) = {x,{y,z)). 
This does affect the correctness of the proof, since it just amounts to leaving out 
the appropriate canonical isomorphisms. In particular, this assumption implies 
the equality \E(S{D, F),G)\ = \E(D, E(F,G))\. From this it follows that the 
underlying lattices |X| and |F| agree because 

|y| = \E{E{D,F),G)\^ = \E{D,E{F,G))\^ = |X| . 

It remains to show that the partial equivalence relations on X and Y agree as 
well. We omit the straightforward verification of this fact. 

Dependent Products. Dependent products are more complicated. There seems 
to be no way around it, since we are dealing with rather heavy domain-theoretic 
machinery. Let 

U = Q{D,n{F,G)) , 

V = U^^^,F)^i^iD,F),G) . 

Let us explicitly describe U and V. The underlying lattice of U is 

\U\ = \E{D,n{F,G))\^ . 
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The partial equivalence relation on U relates {x, /) € \U\ and {y,g) G \U\ if, and 
only if, 

a; tu 2 / A 

{yuG\\Fx\\.fu G ||G(a;,u)||) A {yvG\\Fy\\.gv G ||G(?/,t;)||) A 
VtcG |F(x V y)| . t . 

By dll), the underlying lattice of V is 

\V\ = \D\^ x{\S{D,F)\^ ^\S{S{D,F),G)\^) . (6) 

Elements (x,y) G \V\ and (y,g) G \V\ are related if, and only if, the following 
holds: X tn y, and for all z,z' G \D\ such that z Xd x and z' fn x, and for all 
w G \Fz\, w' G IF^'I such that 

f {z,w) \s{E(D,F),G) iw') A 

T^l{f{z,w))\s{D,F) {z,w) A TTi{g{z',w')) ts{D,F) {z',w') . 

We define maps (/) : |G| — >■ |E|and0: |E| — >■ |G|, and verify that they represent 
isomorphisms between U and V. Let t be a transporter for the parametrization F. 
Define the map (j): \U\ — >■ \V\ by 

<^T = T , (j){xj) = {x,(l) 2 {x,f)) , 

where (j) 2 {x,f): \E{D,F)\^ \E{E{D, F),G)\^ is 

/)T = T , (j) 2 {x, f){y, u) = {x, t{y, x)u, f{t{y, x)u)) . 

Let s be a transporter for the parametrization G on E{D,F). Define the map 
9: |E|^|G|by 

0{T,g) = T 

9{x,g)= if 3 M G |Fx| . (;(x, u) = T 
then T 

else {x,Xu€ |Fa:| . s{gi{x, u), {x, u)){g 2 {x, u))) 

where g = ( 31 , 52 ): \S{D,F)\ ^ \S{E{D,F),G)\. 

It is easy and tedious to verify that (f) and 9 have the intended types. Conti- 
nuity of <f> follows directly from Corollary ^and Lemma ^ Continuity of 9 follows 
from Lemmas 0 and [3 We can apply Lemma because the set 

{{x,g) I 3u&\Fx\.g{x,u) = T} C \D\ x [\E{D,F)\^ ^ \E {E {D , F) , G)\^ ) 



is open, as it is a projection of the open set 
{{x,u,g) I g{x,u) = T} C \E{D,F)\ x {\E{D,F)\^ ^ \E {E {D , F) , G)\^ ) 
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Next we verify that 4> and 9 represent morphisms and that they are inverses 
of each other. Since we only work with total elements from now on, we do not 
have to worry about the cases when T appears as an argument or a result of an 
application. 



(1) 4> represents a morphism U ^ V in the slice over QD. Let (x,f), {x' , f) G 
||C/|| and suppose {x, f) f {x', /'). This means that x 'f x' and j'bva; 

i.e., for every w G \F{x V x')\ 

We prove that (f){x, /) (j^ix' , /'). Clearly, x fn x' since x^ x' and x, x' G ||L*||. 
Let 



9 = 7T2(^(a:,/)) = X{y,u) G \S{D,F)\ . {x,t{y,x)u, f{t{y,x)u)) 
g' = 7T2(0(a;',/')) = X{y,u) G \E{D,F)\. {x' ,t{y, x')uj' {t{y, x')u)) . 

Let y,y' G ||D|| such that y y' and y x. Let u G HT’j/H and u' G \\Fy'\\ such 
that 1 t ^ We need to show the following: 

(a) {y,u) t {x,t{y,x)u) 

(b) giy,u)G\\EiS{D,F),G)\\ 

(c) g'{y',u')e\\S{E{p,F),G)\\ 

(d) >1 t ig'{y',u'))^^y^'^'>'^^y ■“ 

Proof of (a): by assumption y t x, and f t{y, x){u)^^'^y^ holds because of 

the common upper bound: 

ybVl/] ^ ^ Y y'^u 

{t{y, < {t{x, xVy)o t{y, x))u < t{y, xVy)u . 

Proof of (b): by assumption x G ||L?||, and also t{y,x)u G ||T’a;|| because x,y G 
||D||, X f y and u G \\Fy\\. Finally, f{t{y,x)u) G \\G{x,t{y,x)u)\\ because / G 
||iI(Fx, Ga;)|l. The proof of (c) is analogous to the proof (b). 

Proof of (d): by assumption x f x', and {t{y , x)u)'^^^ ^ 1 t \t{y' ,x')u')^^^^ 1 holds 
because 

{t{y, x)u)^^'^^ 1 < t(y, x V x')u < t{y V y',xV x'){u}-y'^y 
{t{y', x')u')^^'^^ 1 < t{y', X V x')u' < t{y V y',x\/ 



and t K Let z = t{y,x)u and z' = t{y' ,x')u' , and let w = V 

claim that 



(/z)[Cv®'>™)] 



2 ,)[G,^)^ G' ,z')] I ^!px,z)\/{x' ,z')] 



(y''z')[CvP,«i)] 



From z < W[x] it follows that /z < f{w[x]), hence 
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and similarly, 

The claim holds because t 

(2) 6 represents a morphism V ^ U in the sliee over QD. The proof goes along 
the same lines as the proof of (1) and is omitted. 

(3) 9o (j) 1(7- Let {x, f) G ||?7||. We need to show that 9{4>{x, /)) f {x, /)• 

The first component is obvious since TTi{9{(j){x, f))) = x. As for the second 
component, for any v G ||T’a^||, 

{7r2{9((p(x, f))))v = s{{x, t{x, x)v), {x, v)){f{t{x, x)v)) 

> s((x,v), (x,v))(fv) 

> fv , 

hence 7T2(6»((/i(a;, /))) t /• 

(4) (f)o9 Iv- Let {x, g) G ||F||. We need to show that (j){9{x, g)) (a;, g). 

Again, the first component is obvious since TTi{(f){9{x,g))) = x. For the second 
component, given any {y, u) G \\S{D, F, ||) such that x f y, what has to be shown 
is 

{x,t{y,x)u,s{gi{x,t{y,x)u), {x,t{y,x)u)){g 2 {x,t{y,x)u))) t g{y,u) . 

First, we have 

{x, t{y, x)u) t {y, u) and {y, u) \ gi{y, u), 

and since these are elements of a codense totality, we may conclude by transitivity 
that (x,t{y,x)u) 'I gi{y,u). Let z = gi{y,u) and w = {x,t{y,x)u). The relation 

{g2{y,u))^^^'^H {s{giw,w){g2w))^^^'^^ 

holds because 

{92{y, < s{z, z V w){g 2 {y, u)) 

s(giu;, < s{giw,z\/ w){g 2 w) , 

and (y,u) t w together with monotonicity of the function s(giD,z V w){g20) 
imply that 

s{z, z V w){g 2 {y, u)) t s{giw, z V w){g 2 w) . 

This concludes the proof of the Main Theorem. 

Let B be the full subcategory of Equ on objects QD where D is a natural 
totality, i.e., ||H|| is a dense, codense, and upward closed subset of \D\. It is 
the case that is a cartesian closed subcategory of Equ, see P). However, note 
that the Main Theorem does not imply that 13 is a locally cartesian closed 
subcategory of Equ. We only showed that B is closed under those dependent 
sums and products that correspond to parametrizations on domains. In order to 
resolve the question whether B is locally cartesian closed it would be useful to 
have a good characterization of B in terms of the categorical structure of Equ. 
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6 Continuous Choice Principle 

As an application of the Main Theorem, we translate Berger’s Continuous Choice 
Principle for dependent totalities 0| into a Choice Principle expressed in the 
internal logic of Equ. The internal logic of Equ is a predicative version of intu- 
itionistic first-order logic with dependent types, subset types, and regular quo- 
tient types. It is the logic that Equ inherits as a subcategory of the realizability 
topos RT(Pu;), see for details. In this section we use obvious and customary 
notational simplifications for dependent products and sums. 

Let (D,F) be a dependent totality. By ^ Proposition 3.5.2] there is a con- 
tinuous functional 



choose S \n{x : D, {Fx — >■ Bj_) — >• Fx)\ 

such that for all x € ||I?|| and p € jjFa; — >■ B||, if p*(true) ^ 0, then (choose a;)p € 
p*(true) n ||T’a;||. Let X = QD, Y = Q(D,F) and 2 = Q(B_l). By looking at 
the proof of ^ Proposition 3.5.2], we see that choose is not a total functional 
of type \\n{x: D,{Fx Bj_) — >• P’s;)]] because choose applied to the constant 
function Ax. false yields T, which is not total. This means that choose does not 
represent a morphism in Equ. Nevertheless we can use it to construct a realizer 
for the following Choice Principle, stated in the internal logic of Equ: 

^ 2. (^(VxG A.-i^dj/erx. (p(x,y) = true)) (7) 

^Yx .V X G X ,p{x, hx) — true) ^ 

We omit the proof. Suffice it to say that (O is realized using choose in much the 
same way as in the proof of ^ Corollary 3.5.3]. 

If we specialize o by setting X = 1 and P = N, we obtain 

Vp G N — >■ 2 . ( (“'“'3 y gN .py = true) 3 z G N . pz = true) 

This is a form of Markov’s Principle, see for example Vol. 1, Chap. 4, Sect. 5]. 
Thus, (I7|) is a generalization of Markov’s Principle. This view is in accordance 
with the construction of the choose functional in which works by searching 
for a witness. 

7 Concluding Remarks 

We have shown that dependent sums and dependent products of continuous 
parametrizations on domains with dense, codense, and natural totalities agree 
with dependent sums and dependent products in Equ. This subsumes our result 
from PI and gives further support to Dana Scott’s remark that Equ is a theory 
of total functions. Our result can be combined with the result by Normann and 
Waggbp, who related dependent types in domains with totality and dependent 
types in limit spaces I2ni, and with the results by Rosolini, who related dependent 
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types in Equ to dependent types in various categories of filter spaces |22l- The 
conclusion is that the dependent-type hierarchies over the natural numbers agree 
in four settings: domains with totality, equilogical spaces, and thus also in the 
realizability topos RT(Po;), limit spaces, and filter spaces. 

Once the Main Theorem was established, we could use the Continuous Choice 
Principle of Berger from the setting of domains with totality to show the validity 
of a Choice Principle in Equ. The Choice Principle in Equ is most concisely stated 
in the internal logic of Equ, and it would be interesting to prove it directly 
in Equ. It is likely that such a proof requires better understanding of what 
codensity corresponds to in Equ. It is not clear how to express codensity in 
terms of the categorical or the internal logical structure of Equ. We remark 
that every dense and codense totality D translates into a totally disconnected 
equilogical space QD. An equilogical space X is totally disconnected when the 
curried form of the evaluation map A — >■ 2^ is monic, or equivalently, when the 
topological quotient ||A||/Rix is a totally disconnected space. There are totally 
disconnected equilogical spaces that do not arise as dense and codense totalities. 
The subcategory of totally disconnected equilogical spaces is a locally cartesian 
closed subcategory of Equ. Perhaps the notion of total disconnectedness, or some 
refinement of it, can be useful for this purpose. 

The Main Theorem can be used to infer another consequence about equilog- 
ical spaces. Berger m showed that extensional equality on the dependent-type 
hierarchy over the natural numbers coincides with the partial equivalence re- 
lation induced by the consistency relation on the underlying domains. This is 
important because the logical complexity of extensional equality is as compli- 
cated as the type at which it is defined, whereas consistency can be expressed as 
a III statement and has bounded logical complexity. The Main Theorem implies 
an analogous result for equality in Equ. 
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Abstract. We settle a number of questions concerning definability in 
first order logics with an extra predicate symbol ranging over semi-linear 
sets. These questions are motivated by the constraint database model 
for representing spatial data. We give new results both on the positive 
and negative side: we show that in hrst-order logic one cannot query a 
semi-linear set as to whether or not it contains a line, or whether or 
not it contains the line segment between two given points. However, we 
show that some of these queries become definable if one makes small 
restrictions on the semi-linear sets considered. 



1 Introduction 

Much recent work in the foundations of spatial databases concerns the model- 
ing of spatial information by constraint sets: Boolean combinations of linear or 
polynomial inequalities. Constraint sets can be effectively queried using variants 
of first-order logic; this is the basic idea behind constraint query languages (|0|, 
0). The most well-studied languages in this family are the first-order linear 
constraint language FOlin and the first-order polynomial constraint language 
FOpoLY- By a semi-linear set we mean a subset of a Euclidean space i?" which 
is definable by a linear constraint, that is, a quantifier-free first order formula 
in the real ordered group ( i?, -I-, — , < ). (Here and throughout this paper, for- 
mulas may have parameters from R). By quantifier elimination, each first order 
formula is equivalent to a linear constraint in the real ordered group. FOlin 
is the first-order language with the vocabulary of the real ordered group plus 
an extra predicate symbol S which ranges over semi-linear sets. Every FOlin 
sentence defines a collection of semi-linear sets. In FOpoly, the product sym- 
bol X is added to the vocabulary, and the extra predicate symbol S ranges over 
the semi-algebraic sets — the subsets of i?” which are definable by polynomial 
constraints, i.e. quantifier-free (or first order) formulas in the ordered field of 
reals. 

A basic question, then, concerns the expressive power of these languages. 
Which families of definable sets (semi-linear sets for FOlin, semi-algebraic sets 
for FOpoly) can be defined by a sentence in the language of the real ordered 
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group (respectively field) with an extra predicate symbol ranging over the defin- 
able sets? More generally, given a family of sets F in Euclidean space, one can 
ask: Which subfamilies of F can be defined by a sentence in FOlin or FOpoly 
with an extra predicate symbol ranging over F. Recent work has clarified many 
questions about the expressive power of FOlin and FOpoly with an extra 
predicate symbol ranging over the finite subsets of Euclidean space (0, 0). 
There are also a number of recent results about the expressiveness of FOpoly 
with an extra predicate symbol ranging over the semi-algebraic sets ( 0 , 0 ). 
However, the expressiveness of FOlin with an extra predicate symbol ranging 
over the semi-linear sets is much less understood. Let’s consider the following 
examples in the Euclidean plane: 



In the last example, FOlin has extra constant symbols ranging over R, in 
addition to the extra predicate symbol S. Each of the four examples is easily 
seen to be definable by a sentence in FOpoly-i since there one can quantify over 
lines. Are they also definable in FOlin"! It is fairly straightforward to show that 
Colinear is not definable by a sentence in FOlin (see 0 and remark 0 below). 
However Is. Line is definable in FOlin A semi-linear set A belongs to the 
collection Is. Line iff it is either a vertical line or is the graph of a function and 
has the property that ii x,y,z & A then x + {y — z) & A. 

It was asked in 0 whether Cont.Line is definable in FOlin- This and 
related questions were also considered in 0. The general question is: under 
what circumstances can we ask questions about the existence of lines or line- 
segments in FOlin"! H it appears that a query cannot be expressed in FOlin-, 
how can we prove this? There is a need for techniques to show that a family of 
semi-linear sets is or is not definable in FOlin- In this paper we introduce such 
techniques, particularly methods from nonstandard analysis, and use them to 
resolve numerous questions about the definability of sets such as Cont.Line and 
Lin. Reach. We also show some positive results, giving that over certain classes 
of sets queries with quantification over lines are expressible. For example, we 
show that Cont.Line is undefinable over arbitrary semi-linear sets, but we also 
show that Cont.Line is definable if the extra predicate symbol ranges over an 
interesting subclass, the thin semi-linear sets. We also investigate several natural 
languages between FOlin and FOpoly- We give game characterizations of 
definability in these languages, and extend several of the undefinability results. 
Organization: Section 0 introduces the notation and basic definitions. Section 
El gives the basic negative results showing that a number of queries are undefin- 
able in FOlin- Section^ gives positive results showing that certain queries are 



Colinear = {A C R^ : all points in A are colinear } 

Is. Line = {A C R^ : A is the graph of some line } 
Cont.Line = {A C R^ : A contains the graph of some line } 



Lin. Reach = 



{ 




A contains the line segment from a to b 
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definable when the extra predicate S ranges over restricted classes of semi-linear 
sets. Section 0 is about the definability of the property that any two points are 
n-linked (connected by a polygonal path with at most n segments). Conclusions 
are given in Section 



2 Notation 

2.1 The Language FOlin 

We start with a signature S consisting of predicate and constant symbols. For 
simplicity we will confine our attention to the case where S = (S,c) has only 
one binary predicate symbol S, and a sequence c of constant symbols of length 
1. The sequence c of constant symbols may be empty, that is, 1 = 0. 

We let FOlin{S) be the first-order language over the vocabulary 5U{-|-, — , < 
}. When S is clear from context we refer simply to FOlin- The first order 
structures for this vocabulary have the form {R,+,—,<,A,a) where A C 
interprets S and a G R^ interprets c. Since all the structures under consideration 
have the same ( i?, -I-, — , < ) part, we concentrate on the other part and define an 
5-structure to be an object A= {A, a) where A d R? interprets S and a G R’^ 
interprets c. 

An 5-structure A= {A, a) satisfies a sentence 4> G FOlin(S), in symbols 
A\= 4>, exactly when the corresponding first order structure (R,+,—,<,A) = 
{R,+,—,<,A,a) satisfies 4>. If the relation A is semi-linear, we say that A is a 
semi-linear structure, or semi-linear instance. Semi-algebraic and semi-analytic 
structures are defined similarly. Any collection of 5-structures is called a (Eu- 
clidean) query. By a semi-linear query, we will mean a collection of semi-linear 
structures. We say that a query X is FOlin - definable if there is an FOlin 
sentence (j) such that: 

for every semi-linear structure A, A\= 4> ii and only if A G X. 

We will sometimes consider the following generalization where the family of all 
semi-linear structures is replaced by another family of structures. Given a “base” 
query F (not necessarily semi-linear), we say that a query X is FOlin - definable 
over F if there is a sentence f of FOlin such that: 

for every A G F, A\= f if and only if A G X. 

Thus when a base F is not mentioned, it is understood to be the family of all 
semi-linear structures. Some examples of base queries F that will arise in this 
paper are the families of semi-linear structures A= {A, a) such that the relation 
A is: 
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• finite; 

• thin, that is, has an empty interior; 

• 1-bounded, that is, is contained in a unit square [0, 1]^; 

• has at most n singular points (a singular point is a vertex of the boundary 
of A). 

We note that if a query is FOlin definable over F then it is FOlin definable 
over any subcollection E C F. Thus definability results are stronger when F 
is larger, while undefinability results are stronger when F is smaller. We will 
study the definability of some natural queries in FOlin and its extensions. As 
a starting point, we recall a known fact, which is a consequence of the classical 
result that the product function cannot be defined in the first order theory of 
{R, 

Remark 1. The query Colinear is not FOlin definable over the collection of 
subsets of the plane of cardinality three. 



2.2 Nonstandard Analysis and Undefinability 

We will use notions from nonstandard analysis as a tool in many of our proofs. 
However, all of our results are statements about the standard reals. 

The main place where nonstandard notions will be used is in characteriza- 
tions of definability in query languages (as in, e.g., 0). We assume familiarity 
with basic notions of nonstandard analysis (see [S|), but give a briefer-than-brief 
review here. 

N denotes the set of positive integers. For any set U, the superstructure 
V{U) with base set U is defined as V{U) = UngAr Ki(U) where V\{U) = U, and 
Vn+i(U) = Vn{U)U{X : X C Vn{U)}. Note in particular that U £ V{U). We will 
work with the superstructure ( U(C/), £ ) considered as a structure for the first- 
order language with the binary relation £. A bounded quantifier formula in this 
language is a formula built up from atomic formulas by the logical connectives 
and the bounded quantifiers: VA £ Y, 3X £ Y, where X and Y are variables. 
Almost all of “classical” mathematics can be done within the superstructure 
V (R) based on the set R of reals. 

A nonstandard universe (based on R) consists of a pair of superstructures 
V{R) and V{*R) and a mapping * : V{R) — >■ V{*R) such that: 

1 . is a proper extension of R 

2. For each r € R, *r = r 

3. (Transfer Principle) For any bounded quantifier formula . . . , u„) and 

any list oi, . . . , a„ of elements from V (R), . . . , a„) is true in V (R) if 

and only if 4>(*ai, . . . , *a„) is true in V (*R). 



We will fix a nonstandard universe once and for all. 
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Note that *R is the image of the element R G V{R), and *R G V{*R). An 
element B G V (*i?) is standard if it is in the image of the *-map, that is, B = *A 
for some A G V{R), and internal if it is an element of a standard set, that is, 
B G *A for some A G V{R). 

Some examples of standard sets are *R, the usual order relation and arith- 
metic operations on *R, and the sets *Z , *Q, and *N. To improve readability, we 
ordinarily drop the * from the order relation and arithmetic operations of *R. 

All standard sets are internal, all elements of internal sets internal, and any 
finite subset of an internal set is internal. Other examples of internal sets are the 
closed intervals *[a, b] where a,b G *R, and more generally the sets and relations 
which are first-order definable in the structure ( *R, *N, x ). 

An element r G *i? is finite if |r| < n for some n G N, and infinitesimal if 
|r| < 1/n for all n G N . For r,s G *R, we write r « s if |r — s| is infinitesimal. 
For each finite r G *R, there is a unique standard real number °r G R, called the 
standard part of r, such that °r « r. 

Three important consequences of the definition are: 

• iV is a proper initial segment of *N in the natural ordering. 

• Every nonempty internal subset of *R which has an upper bound has a least 

upper bound. 

• Every infinite internal set is uncountable (and has cardinality at least the 

continuum) . 

It follows that infinite and positive infinitesimal elements of *R exist. In fact, 
there are uncountably many infinite K G *N , and uncountably many infinitesi- 
mals in *Q. 

Some examples of sets in V (*R) which are not internal are: any nonempty 
subset of *R which has an upper bound but no least upper bound (such as R, 
the set of finite elements, or the set of infinitesimals), any countably infinite set, 
the set of all finite subsets of *R, and the standard part function °. 

By the Transfer Principle, the mapping * is an elementary embedding of the 
ordered ring ( Z, -b, — , x , < ) into {*Z,+,—, x , < ), and similarly for R and *R. 
Many of the facts we need from nonstandard analysis can be derived from these 
elementary embedding results. 

When a set A G V(R) has a name, say the set of widgets, the elements of 
*A are called *widgets, or hyperwidgets. For example, *R is the set of hyperreal 
numbers, and the image of the collection of semi-linear sets is the collection of 
hypersemi-linear sets. Thus every hypersemi-linear set is internal. Hypersemi- 
linear sets will appear in many of our proofs. When discussing properties of 
a hypersemi-linear set, we will often drop the “hyper” prefix; for example, we 
will usually write “line” rather than “hyperline”, and “connected” rather than 
“hyperconnected” . 
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By the Transfer Principle, any set which is definable by a first order formula 
in {*R, +,—,<) is hypersemi-linear. In fact, any set which is definable by a 
first order hyperformula with parameters in ( *R, +,—,<) (or, equivalently, by a 
hyperfinite Boolean combination of linear constraints) is still hypersemi-linear. 

The following proposition will be useful in proving undefinability results. In 
this proposition, = stands for the elementary equivalence relation between first 
order structures. 

Proposition 1. Suppose X and F are Euclidean queries. Then the following 
are equivalent: 

1. X is not FOljn - definable over F . 

2. There are hyperstructures A,B G *F such that A G *X and B ^ *X, but 

{*R, A) = {*R,+,-,<,B). 

Proof: We will only use the direction from 2 to 1 in this paper, so we prove that 
direction here and leave the converse as an exercise. Assume that 1 fails but 2 
holds. Let (f be an FOlin sentence which defines X over F. By the Transfer 
Principle, since A G *X, we have A \= (f and {*R,-\-,—,<,A) ^ 4>. Similarly, 
since B ^ *X, we have B \= -uf and ( *i?, -k, — , <, 13) ^ This contradicts 
2 . □ 



3 Undefinability in First-Order Logic 

Theorem 1. The query Lin. Reach is not definable in FOlin- 

Proof: To do this we construct a hypersemi-linear set A as follows. Let <5 be a 
positive infinitesimal and m be an element of *(0, 1) which satisfy requirements 
to be given below. Let B be the set of parallel lines y = KS mx, with K G *Z, 
and let A be the intersection of B with the hyperreal unit square *[0, 1]^. Thus 
<5 will be the vertical distance between line segments, and m will be the slope of 
any of the lines. See Figure E 

Let D = {K : Kfn G *Z for all n G N}. D is the largest divisible subgroup 
of {*Z,-\-, — ). D is nontrivial, since K\ G D for any infinite K G *N. Choose 
hyperrational numbers m, <5 G fl *[0, 1] so that: 

• m = J/L G*Q where J,Lg*N and J < L 

• The standard part °m (which belongs to [0, 1]) is irrational 

• F[ = 1/5 is in D and is such that Fl/L G D (i.e. H is L times something in 

D) 

Our aim is to find a function / satisfying the following requirements. Let 
A{x) = f{x)—x. We say that a function f : *R ^ *Ris good if for all x,y G *R : 
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(l,f(m)) 

(l,m) 



Fig. 1. The Basic Construction 



• / is a bijection 

• / is order preserving 

• / is linear, i.e. f{x + y) = f{x) + f{y) 

• /(e) = e for all infinitesimal e 

• f lz) = z for all 0 G 

• f{x) « X (hence ^{x) « 0) 

• A{x)/6 G D and A{x)m/5 G D 

• /(m) yf m 

For any function / on the hyperreal line, we let be the map on the plane 
defined by p{{x,y)) = {f{x),f{y)). 

Claim 1 For any good function f, maps any point lying on a line of the form 
y = KS + mx, with K G *Z, to a point on another line of this form. 

Proof: Given y = K6 + mx, we show that {f{x),f{y)) is of the required form: 
i.e. (/(y) — mf{x))/6 G *Z. We have 

f{y) — mf{x) = f{K5) + f{mx) — mf{x) = KS + A{KS) + mx + A{mx) — 
m{x + A{x)). 

This is KS + A{KS) + A{mx) — mA{x). But each of these four terms is a 
multiple of 5, because for every 2 , A{z)/S £ D C*Z, and similarly, mA{x)/S G 
*Z. □ 




Lemma 1. There is a good function f. 
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The proof of this lemma will take some time. Let Rq be the smallest divisible 
subgroup of — ) that contains both *Z and the set of all infinitesimals. 

Note that Rq is just the set of all x G *R such that the standard part of the 
fractional part of x is rational. 

Claim 2 i?o is equal to the set of all x G *R such that x = p + n + e for some 
p G Q r\[0,l), n G *Z, and e ~ 0. Moreover, for each x G Rq, the decomposition 
X = p + n + e is unique. 

Proof: The first statement is clear. To prove uniqueness, suppose p + n + e = 
p' + n' + e' . Then n — n' = {p' —p) + {e' — e). The left side of this equation belongs 
to *Z, and the right side is finite and has standard part in (—1, 1). Therefore 
both sides of the equation are equal to 0. Therefore n = n' and p' ~ p. It follows 
that p' = p and hence e' = e. □ 

Now let c be the cardinality of the continuum. As usual, we identify c with the 
set of all ordinals of cardinality less than c. Let {r^ : a < c} be an enumeration 
of the set of all reals in [0,1). Starting with Rq defined above, we build an 
increasing chain of sets Ra, a < c by the following transfinite recursion. For 
limit ordinals 7 < c, put Rj = U/ 3<7 For successor ordinals a + 1 , let Ra+i 
be the smallest divisible subgroup of ( *R, + , — ) that contains both Ra and Tq. 
We then have *R — Ua<c Note that in the case that Va G Ra, Ra+i is just 
Ra- 

Claim 3 Ra+i is equal to the set of all x G *R such that x = pxa + n + j/ for 
some p G Q, n G *Z , and y G *[0, 1) fl Ra- Moreover, if Va ^ Ra, then for each 
X G Ra+i the decomposition x = pra + n + y is unique. 

Proof: To prove uniqueness, suppose pra + n + y = p'ra + n' + y'. If p yf p' , then 
fa = ((n — n') + (y — y'))/{p' — p) G Ra. On the other hand, if p = p', then 
n + y = n' + y', so n — n' = y' — y. The left side of this equation belongs to 
*Z and the right side belongs to *(— 1, 1). Therefore both sides are equal to 0, so 
n = n' and y = y' . □ 



Claim 4 For each a < c, Ra contains fewer than c real numbers. 

Proof: We will prove by transfinite induction that for each a < c, \Ra O i?| < 
Hq + jaj < c. By Claim 2, Rq(1R = Q, so \Rq fl i?| = Hq. If a is a limit ordinal, 
then by inductive hypothesis, \Ra O i?| < + |/3|) = + |a|- 

Now assume the result for a. By Claim|2|we have |i?a+ini?| < |Q| x |i?Qni?| < 
Hq + |q:|. Thus the result holds for a + 1, and the induction is complete. □ 

Claim 5 There exist infinitely many positive infinitesimal e G *Q such that 
e/6 G D and em/5 G D. 

Proof: By hypothesis, 1/6 = Fl where H G D and H/L G D, so mH = J{H/L) G 
D. Thus for all n G N, H/n G *Z and mH/n G *Z. Using the Transfer Principle, 
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there is a least n G *N \ N such that Hjn ^*Z or mH/n ^ *Z. Therefore for 
all sufficiently small infinite K G *N we have H/K G D and mH/K G D. Thus 
e= 1/K has the required property. □ 

With another transfinite recursion, we build an increasing chain of functions 
f \ Ra ■ Ra ^ *R, a < c. Let / t i?o be the identity function on i?o, take 
unions at limit ordinals, and define / \ Ra+i as follows when ^ Ra' By 
Claim El we may choose a positive infinitesimal Cq, G *Q such that eaH G D 
and eaUiH G D. For x G Ra+i, put x = pxa + n + y as in Claim E| and define 
f(x) = p{ra + £a) + f{n + y). When x G Ra, we have p = 0, so the new value of 
/(x) agrees with the old. Taking the union, we have a function / : *i? — >■ *R. 

We now add one more requirement in the construction which will insure 
that f{m) ^ m. Consider the first f3 such that m G Rp. Since °m is irrational, 
TO ^ i? 0 ) so /3 > 0. Then j3 must be a successor ordinal, /? = a+ 1. Since m ^ Ra 
we have Ra+i yf Ra and thus ^ Ra- We then have a unique decomposition 
TO = pxa + n + y with p yf 0. Any two different choices of the infinitesimal 
will result in different values for /(to), so we can choose e„ in such a way that 
/(to) yf TO. 

Claim 6 The function f is good. 

Proof: We verify the requirement that A{x)/5 G D and A{x)m/5 G D for all x G 
*R. Let /3 = a + 1 be the first ordinal such that x G Rp, and put x = pr^ + n + p. 
We argue by induction on a. We have A(x) = /(x) — x = pe^ + A(n + y), where 
n + y G Ra and p G Q. By definition, Ca/5 G D, and by inductive hypothesis, 
A{n + y)/S G D. Since D is a divisible group, it follows that A{x)/S G D. The 
proof that A(x)mfS G D is similar. The other requirements on / are easily 
proved by induction on a. □ 

This completes the proof of Lemma ^ 

We now use the good function / to complete the proof of TheoremGl Consider 
the hypersemi-linear structures A= (A, 0,0,1, to) and B = ( A, 0, 0, 1, /(to) ). 
The two points (0,0), (1 ,to) are on the same line segment in A, so Lin. Reach 
holds in A. But f{m) y^ to, so Lin. Reach fails in B. Since / is good, it is 
an automorphism of the hyperreal ordered group that maps the relation and 
constants in A to those in B. Hence 

( *R, +,—,<, A) = ( *R, + ,—,<, S). By Proposition n Lin. Reach is not FOljn 
definable. □ 

The above proof shows more. Let Conn be the query 

Conn = {(A, a,b) : A C R^ , a, b G R? , a is connected to b in A}. 



Corollary 1. Lin. Reach is not FOlin - definable over the collection F of 1- 
bounded thin semi-linear sets. In fact, there is no sentence tf of FOlin{S) such 
that {Lin. Reach — >■ "0) A ('0 — >■ Conn) holds in all A G F . 
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Proof: The graph A is 1-bounded and thin. The points (0,0),(l,m) are on 
the same line segment in the structure A, but the corresponding points (0,0), 
(1, f{jn)) are not even connected in the structure B. Thus ijj would have to hold 
in A but fail in B, so ip cannot be a sentence oi FOlin- □ 

The proof of TheoremQcan be modified to show that Lin. Reach is FOlin 
undefinable over other families. For example, the preceding proof uses hypersemi- 
linear sets with infinitely many parallel line segments, which corresponds to a 
family of semi-linear sets with unboundedly many parallel line segments, and 
thus unboundedly many singular points. The next result has a finite bound on 
the number of singular points but a nonempty interior. 

Theorem 2. Lin. Reach is not FOlin - definable over the collection of 1-bounded 
semi-linear sets with ten singular points. 

Proof: We modify the set A to form two new sets T and U (see Figure EJ). To 
form T, we first replace the unit square by the “unit right triangle” with vertices 
(0, 0), (1, 0), (1, 1). Then we add all of the interior of the unit right triangle except 
for two similar infinitesimal triangular windows around the points (0,0) and 
(l,m) with height < S. These windows are so small that they miss all of the 
original family of parallel lines of slope m except for the line segment through 
(0,0), (l,77i). The set T formed in this way is a 1-bounded hypersemi-linear set 
with ten singular points. The set U is similar except that the second triangular 
window is around the point (1, f{m)). We use the same function / as before. / 
is an isomorphism between the structures (T, 0,0, l,m) and ( [/, 0, 0, 1, /(m) ). 
The points (0,0), (l,m) are on a line segment contained in T but the points 
(0, 0), (1, f{m)) are not on a line segment contained in U. □ 

We will now show that the query Cont.Line is not first order definable. Here 
the signature has a binary predicate symbol but no constants. 

Theorem 3. The query Cont.Line is not definable in FOlin ■ In fact, it’s not 
even FOlin - definable over the collection of semi-linear sets with ten singular 
points. 

Proof: We modify the construction in the previous theorem. Let T, U, and / be 
as in the proof of Theorem|21 We will add two infinite cones to T as follows. Let 
Cl be the cone heading towards — oo with apex (0, 0) and bounded by two rays 
having standard rational slopes r and s where 0 < r < °m < s < 1. See Figure 

Cl is a standard cone defined by rational numbers, and hence will be fixed 
by /. Let C 2 be the cone with apex (l,m) and bounded by two lines having 
rational slopes r' and s' with 0 < r' < °m < s' < 1. The base of C 2 will be 
moved by /, and the rationality of the slopes will guarantee that the boundary 
lines map to boundary lines. Thus C 2 maps under / to the cone C '2 with apex 
(1, f{m)) and boundary rays having slopes s' and t'. Let Ti = T U Ci U C 2 and 
Ui = C7 U Cl U C 2 . These sets again have ten singular points. Ti contains a 
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( 0 , 0 ) 




(l,m) 



Fig. 2. Modified Constrnction 



line and T 2 does not. It is clear that / maps Ti to T 2 , which shows that the 
corresponding structures are equivalent in FOlin- □ 



4 Definability over Thin Sets 

There is an intuition that queries such as Lin. Reach and Cont.Line are “almost” 
first-order definable. We will give two positive results showing that Cont.Line 
and Lin. Reach are definable over restricted classes of semi-linear struc- 

tures. 

We note that in Theorem □we made use of examples that had nonempty, and 
in fact unbounded, interiors. We show here that this is essential. We show that 
Cont.Line is definable over thin semi-linear instances: i.e. there is an FOlin 
sentence 4> such that for each thin semi-linear structure A, A (j) ^ ^ 

Cont.Line. 

Theorem 4. Cont.Line is FOlin definable over the family of thin semi-linear 
sets. 

Proof: A point is called regular in S if it is not singular in S. If C/(y, z) denotes 
the open rectangle with corners y, z, then x G U{y, z) can be expressed by the 
formula yi < Xi < zi A y2 < X2 < Z2- Thus if S is thin one can say that x is 
regular in S with the formula Reg{x): 

3y3z3u\u^QA{SC\U{y,z))coYitdAis x-\-u,x—u and is closed under midpoints]. 
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Fig. 3. Contains a line 



Let Cong{x,y) (for congruence) say that x and y are regular in S, and the line 
segments in S containing x and y are parallel (that is, for all sufficiently small 
z, x + z& S-ir^y + z&S). 

Let MinSame{x,t,y) say that y is minimal such that Cong{x,t,y), that is, 
Cong{x, t, y) A \/u{Cong{x, t,u) ^ y < u). 

Let Far(t) say that there are no singular points of S with horizontal coor- 
dinate > t. Let Vert be the sentence asserting that S contains a vertical line. 
Finally, let (f> be the sentence 

Vert V 3x {Reg{x) A Vt Vt' [Far{t) A Far{t') — >• 

3y 3y'[MinSame{x, t, y) A MinSame{x, t' , y') A {x + {t' , y') — {t,y)) € -S'] ] ). 

We claim that (j) is the required sentence. Suppose S' is a thin semi-linear 
set in Cont.Line. If S contains a vertical line then it satisfies Suppose S 
contains a nonvertical line L, and let x be any regular point on L. Let t and 
t' be points beyond any singular point of S with 0 < t < t'. To the right of 
t, S can only consist of finitely many rays that never intersect, including the 
part of L beyond t. Among these rays is a lowest ray L' which is parallel to L. 
There exist y,y' such that (t,y) and {t',y') are on L'. Then MinSame{x,t,y) 
and MinSame{x,t' ,y'). Since L' is parallel to L, the sum of x and the vector 
between (t,y) and (t',y') is on L, and hence is in S. 

Conversely, suppose that S satisfies (j). Suppose Vert does not hold, and let 
X be any witness for the rest of (f>. Locally, S looks like a line L through x, since 
a; is a regular point and S is thin. We show that L is actually contained in S. Let 
m be the slope of L. For any d we can find t and t' satisfying Far{t) A Far{t') 
with t — t' = d. Since S satisfies (j), there are minimal y and y' such that in 
neighborhoods of both (t,y) and {t',y'), S' is a line with slope m. Since t and t' 
are far out, the only possibility is that {t, y) and {t' , y') actually are on the same 
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line of S, which means that the slope of the line segment between them must 
be m. Hence when we add the vector between {t,y) and to x, we get the 

point on L at horizontal distance d away from x. By assumption, this point is 
in S. Since d was arbitrary, this shows that S contains L. □ 

The above argument also shows somewhat more. 

Corollary 2. Cont.Line is FOlim definable over the family of semi-linear sets 
with 1 -bounded interior. 



5 Definability of n-Linked 



We say a semi-linear set A is n-linked if for any two points x and y in A, there is 
a polygonal path from x to y consisting of at most n line segments, n-linkedness 
is a natural connectivity property of semi-linear sets, and in this section we will 
give a fairly complete description of the definability of n-linkedness for n G N 
(summarized at the end of the section). Somewhat surprisingly, the answer will 
be “yes” for some values of n and “no” for others. 

Theorem 5. 1-linked is FOlim definable. 2-linked is FOljn definable over the 
family of thin semi-linear sets. 

Proof: 1-linked is definable by the statement: For any two points in S, their 
midpoint is in S. 

For 2-linked, let Parallel{x,y) say that y is regular and there is a line seg- 
ment of S containing x that has the same slope as the line segment through y. 
Since S is thin, this can be expressed by the formula: 

X G Sf\Reg{y)f\(yu sufficiently close to G S' — >■ {x-\-u G SVx—u G S)]. 

As before, we let Mid{x, y) denote the midpoint between x and y. Now consider 
the sentence fi: 

'ix'iy ( Reg{x) A Reg{y) — >■ [Parallel{x, y) -G Mid{x, y) G S] A 

[-•Parallel{x,y) — >• 3z {-'Reg{z) A 
Parallel{z, x) A Parallel{z, y) A Mid{z, y) G S A Mid{z, x) G S ) ] ) 

This sentence says that any two regular points either have the same slope and 
their midpoint is in S, or they have different slopes and there is a singular point 
realizing both slopes whose midpoint with each of the original points is in S. 

We assume and show that S is 2-linked. Note that it suffices to show that 
every two regular points are connected by a path consisting of two line segments 
(since for two singular points x and y we can find regular points x' and y' nearby 
such that any path from x' to y' extends to a path from x to y with the same 
number of segments). Suppose x and y are in S and are regular. Case 1: The 
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slope of S' at a: is the same as the slope at y. In this case the line segment L 
between x and y must be in S; if not, we can find regular points p and q on L 
such that the midpoint of p and q is not in S, which contradicts (j). Case 2: The 
slopes at X and y are different. Choose 2 : as given by </>. Reasoning as before, we 
see that the line segment between z and y must be in S, and the same for the 
segment between 2 : and x. But this shows that S is 2-linked. 

Conversely suppose that S is two-linked. For any regular x and y in S, either 
they are one-linked — in which case they satisfy the Parallel{x, y) clause — or 
they are (minimally) two-linked - in which case they satisfy the -'Parallel{x, y) 
clause. □ 

We now show that the assumption that A is thin is necessary: 

Corollary 3. 2-linked is not FOlin definable, even over the family of 1-bounded 
semi-linear sets with ten singular points. 

Proof: This follows from the proof of Theorem El That proof uses a pair of 
1-bounded hypersemi-linear structures with ten singular points which are ele- 
mentarily equivalent in FOlin, but one structure is 2-linked and the other is 
not. □ 

The following results can be proved by modifying the constructions in this 
paper. The proofs will be given in the full paper. 

Theorem 6. 3-linked is not FOlin definable over the family of thin semi-linear 
sets. 



Theorem 7. There is no FOlin sentence f such that 

{4-linked — >■ ^) A (^ — >■ Conn) 

holds in all thin semi-linear sets A. In particular, for each k > 4,, k-linked is not 
FOlin definable over the family of thin semi-linear sets. 

We do not know whether the above theorem can be improved by replacing 
4-linked by 3-linked. 

Putting together all of the above results we have: 



Summary of Definability for n-linked 


n 


Semi-linear 


... and Thin 


... and Boundedly Many Singularities 


1 


Yes 


Yes 


Yes 


2 


No 


Yes 


Yes 


> 3 


No 


No 


Yes 



Here ‘Yes’ in a box for integer n and class C means that n-linked is definable 
over C. 
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6 Conclusions and Future Work 

Questions concerning definability with an extra predicate, even for a well-under- 
stood structure such as the real ordered group, turn out to be surprisingly com- 
plex. The answers are also a bit counterintuitive: the results here show that 
seemingly slight modifications of either the query definition or the class of de- 
finable sets can make or break definability. It would clearly be desirable to find 
general topological conditions on a family of sets that guarantee definability and 
include the interesting definable examples here. Our results, however, indicate 
that this will be a difficult (perhaps impossible) task. 

Given the undefinability results, it seems natural to look for intermediate 
languages between the first-order linear and polynomial query languages, which 
can define the queries considered here. In the full version of this paper we will 
introduce such intermediate languages, but space does not permit us to present 
the results in this extended abstract. 
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Abstract. We study definability of languages in arithmetic and the free 
monoid by bounded versions of fixed-point and transitive-closure logics. 
In particular we give logical characterisations of complexity classes by 
showing that a language belongs to ^ if and only if it is definable in either 
arithmetic or the free monoid by a formula of a certain logic. We investi- 
gate in which cases the bounds of fixed-point operators may be omitted. 
Finally, a general translation of results from descriptive complexity to 
the approach described in this paper is presented. 

Keywords: descriptive complexity, definability, arithmetic 



1 Introduction 

Descriptive complexity theory studies the connections between definability and 
complexity classes (see j 1 141b) for an overview) . The most common approach orig- 
inates in finite model theory and yields characterisations of the following form: 
“Some class ^ of finite structures belongs to the complexity class ^ if and only 
if Jif is the class of finite models of some sentence of the logic £.” More formally, 

G iff ^ = Mod(v?) for some & Z. Starting with Fagin’s famous char- 
acterisation of Nptime descriptions of most of the common complexity classes 
have been obtained in this way. 

Another equally well developed method is based on function algebras and 
recursion schemes (see for an overview, or 0 for a formulation in terms of 
proof theory). It originated in recursion theory with characterisations of the 
recursive and primitive recursive functions and later on was applied by Cobham 
to describe the class of polynomial time computable functions. 

In the present article we will follow a third approach. We fix a model with 
universe {0,1}*, N, or some other countable set with canonical encoding in 
{0,1}*, and investigate which languages are definable within this model using 
different logics. This approach has mainly been used in recursion theory so far, 
for instance to define the arithmetic and analytic hierarchy. To the author’s 
knowledge there are only few characterisations of decidable complexity classes 
using this method. The Biichi-Bruyere Theorem (see P) for an overview) states 
that the p-adic encoding of a set of natural numbers is regular if and only if the set 
is first-order definable in (N, -b, Vp) where Vp{x) := for the greatest k such that 
p^ I X. Wrathall 0 showed that the class of languages definable by Ap-formulae in 
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(N, + , •) is equal to the linear hierarchy. As mentioned in a characterisation of 
the polynomial hierarchy is obtained if one adds the operator x^j^y = 2 *°S 2 ^:iog 2 y ^ 

Below we will show that by adding fixed-point or transitive-closure opera- 
tors those results can be extended to characterise many of the usual complexity 
classes. The results themselves are unsurprising and mirror those of finite model 
theory. Indeed, the similarity between both approaches enables us to present 
a translation from the formalism of finite model theory to definability in the 
binary tree and vice versa. So, what are the differences between them? First, 
our formalism seems to be more general since by using other structures than the 
binary tree — e.g., arithmetic — we can capture different classes such as Exptime 
or Expspace for which there is no “classical” characterisation. A second point 
is that depending on the circumstances one approach might be more convenient 
to work with. For instance, from an an algorithmic point of view the classi- 
cal approach seems to be more suitable since one can speak about, say, graphs 
directly instead of having to encode them as words. On the other hand when 
dealing with languages, e.g., in structural complexity, or when thinking of appli- 
cations in feasible model theory, our formalism might be of advantage. Finally, 
by changing the formalism a different set of logical and algebraic methods for 
the investigation of complexity classes becomes available (although whether this 
is of any help remains to be seen). 

The paper is organised as follows. In the next section we give a short overview 
of classical descriptive complexity theory and list some results for comparison. 
Furthermore, we introduce the logics used in the rest of the article. 

Section |3 considers various structures of natural numbers and investigates 
which complexity classes can be characterisations within them. We show how 
to generalise these results to arbitrary linear orderings of type w, and study in 
which cases the bounds of fixed-point operators are really needed. 

In Section 0 we turn to the free monoid and show that many classical results 
can be translated to our approach, and vice versa. 

2 Preliminaries 

We recall the basic definitions of descriptive complexity theory. For simplicity 
we will consider only languages over a binary alphabet. In the classical approach 
each word w S {O,!}'*' is represented by the word model 

w := ({0,... , |w| — 1}, <, S, min, max, P) 

where S is the successor relation of <, min and max are the first and last 
elements, and P is the set of positions carrying the symbol 1. While in descriptive 
complexity theory one usually allows classes of arbitrary finite models we will 
only consider word models in the following. 

Let be a complexity class. We say that the logic £ captures ^ (on word 
models) iff { Lipp) | (/? G £ }, where P(<p) := { w G {0, 1} | w ^ (/? }. 

Logics capturing complexity classes include first-order logic FO and its ex- 
tensions by transitive-closure or fixed-point operators, and fragments of second- 
order logic (see Table DJ- 
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Table 1. Logics capturing complexity classes 



Class 


Logic 


Class 


Logic 


Class 


Logic 


AC° 


FO 


Ptime 


FO(LFP) 


Nptime 


si 


Logspace 


FO(DTC) 




E(-Horn 


PH 


SO 


Nlogspace 


FO(TC) 




SO-Horn 


PSPACE 


FO(PFP) 



(Deterministic) transitive-closure logic FO((D)TC) is obtained from FO by 
adding the operator 

[(D)TC 3 ^,y ^{x,y,z)](u,v). 

The semantics is defined as follows (where for notational convenience we omitted 
all references to the structure in question). [TC^,^ <p](a, 6) holds iff there are 
tuples do = d, di, . . . , d„ = b, n > 0, such that ip{ai,ai+i) holds for all i < n. 
The deterministic version is defined by 

[DTCj^y if{x,y,z)]{u,v) 

= [TCj,y if{x, y, z) A 'iy'{if{x, y' , z) ^ y' = y)] {u, v) 

Similarly, in least and partial fixed-point logic FO(LFP) and FO(PFP) one 
adds the operator 

[L/PFPfi,x <f(^,x,z)](u) 

where in the case of LFP, R occurs only positive in (p. To define the semantics 
consider the operator 

F(R) := {a I ip(R,d) holds}. 

[LFPfl^j <p\{d) holds iff d is in the least fixed-point of F, and [PFPj^^j ^]{d) holds 
iff there is some n such that F"”“*'^(0) = F"(0) and d G F"(0). 

Finally, denote full second-order logic by SO, existential second-order logic by 
S}, and (existential) second-order horn logic by SO-Horn and S}-Horn, respec- 
tively. Here, SO-Horn consists of second-order formulae in prenex-normalform 
where the first-order part is universal, in conjunctive normalform, and each 
clause contains at most one positive literal Xx for second-order variables X. 

In this article we want to ask which languages can be defined within some 
fixed structure 2t. Of course, in order to do so the universe of 2t should either 
consists of {0, 1}* or we have to choose some encoding of the elements of 21 by 
words. 

Definition 1. Let % be a countable structure and suppose e : A — >■ {0, 1}* is 
bijective. Let ^ be a complexity class. We say that the logic £ captures on 2t 

^ff 

'^={e((^«) |<p(x)g£}, 
where := {a & A\%\= (p{a) }. 
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Obviously this definition may be generalised to relations of arbitrary arity. 
As there are pairing functions definable in all structures considered below the 
arity can w.l.o.g. assumed to be one. So, for simplicity, we will only deal with 
this case. 

Below we will investigate which classes are captured on several variants of 
arithmetic and the free monoid. Since the first-order theory of arithmetic is 
highly undecidable, we can only hope to capture decidable complexity classes by 
fragments of FO. In particular we will try to ensure that all variables only range 
over finite sets. The following definition was motivated by the observation that 
in recursion theory “bounded quantifiers come for free.” 

Definition 2. Fix some structure 2t. A bounded guard on % is a quantifier-free 
formula a{x; y) such that for all b G A™ the set { a G A" | 2t |= a(d; b) } is finite. 
Here, x are called the bounded variables of a, and y are the free variables or 
parameters of a. 

The bounded fragment BFO on 21 is defined like FO where all quantifiers 
are guarded, i.e., of the form {Qx.a)ip for Q G {3, V} and some bounded guard a 
with hounded variables x. 

For O G {DTC,TC,LFP,PFP} we define the bounded version BO by re- 
stricting the syntax to 

[(D)TC^_- a{y; z) A tp{x, y, z)] and [L/PFP^_- a(x; z) A x, z)] 

for some bounded guard a. Let BFO(O) be the logic obtained by adding the 
operator O to BFO. Similarly, hounded second-order logic BSO is obtained by 
adding (unrestricted) second-order quantifiers to BFO. 

Definition 3. Let ^p{x) be a formula of some bounded logic, and let y he a 
variable appearing hound in (p (w.l.o.g. assume that no variable is quantified 
twice). For values c of x, the domain of y at c is defined inductively as follows. 
Let {Qy.a{y; x, z))ip be the subformula where y is hound. 

dom(j/) := {a I there are b in the domains of z such that a{a;c,b) holds}. 

Intuitively, the domain contains all values y may have. Note that, by induction 
the domains of bound variables are finite. 

Remark f. Regarding the expressive power the following inclusions hold: 

FO C FO(DTC) C FO(TC) C FO(LFP) C FO(PFP) 

Ul Ul Ul Ul Ul 

BFO C BFO(BDTC) C BFO(BTC) C BFO(BLFP) C BFO(BPFP) 

3 Arithmetic and High Complexity Classes 

In this section we will consider (N, <, ^), the natural numbers with order and 
some additional functions / G where ^ is allowed to be empty. Note that in 
this case we can w.l.o.g. assume that all guards are of the form 

X < t{y) := a;o < t(fi) A • • • A x„_i < t{y) 
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for some ^-term t. The expressive power of bounded logics mainly depends on 
the growth-rate of the bounds. In order to compare such rates we define ^ 
for classes and of functions on N iff for all /o € there is some fi € 
such that fo{n, . . . ,n) < /i(n, . . . , n) for all n G N, and we write iff 

both #"0 < and 

Let be the set of terms built from functions of We will see that 
it mainly depends on the growth-rate of which complexity classes can be 
captured on (N, <, 

In order to define the complexity of a set of natural numbers it is assumed 
that numbers are coded by their binary encoding in reversed order, i.e., with 
the least significant bit first. Note that the number of bits of n is |"log 2 (n -I- 1)]. 
Thus, given a monotone function / : — >■ N and a tuple n G where Ui has 

li bits, the number of bits of /(h) is 

{Bfm := [log2 (/(2'«-i, . . . , + 1)] . 

Our first result is preceeded by some two lemmas. Let / : — >■ N be a 

function such that /(a) > for all i < k. We call a formula ip{x) f -bounded iff 
for all a G and every term t{x, y) in ip{x) the inequality t{d, b) < f{d) holds 
for values b in the domains of y. Note that for all formulae f{x) of bounded 
logics defined above there is some ^-term t{x) such that (f is t-bounded. 

Lemma 5. Let ^ be a set of functions whose graphs are decidable in linear 
space, and let (fi{x) G BFO be f -bounded. The question whether (N, <,^) |= 
(p{d) can be decided in space 0 {\ip\log 2 f{d)). 

Proof. Since Lp is /-bounded we need to consider only values less than /(a). These 
can be stored in space 0(log2 /(a)). The claim is proved by induction on (p. To 
evaluate a function h{b) we can enumerate all numbers c and check if the tuple 
(6, c) belongs to the graph. Thus, since both the arguments and the values of 
functions are less than /(a), atoms can be evaluated in space 0(log2 f{d)). The 
induction step for boolean connectives is trivial. So consider a formula of the 
form {Qy < t(x))if{y,x). To decide whether it holds we can iterate over all 
values for y. The only space needed to do so is the storage of y. Thus, it is 
sufficient to have space 0 (log 2 /(a)) for each variable appearing in p>. □ 

The second lemma shows that in many cases we can assume that addition 
and multiplication is available. 

Lemma 6. The graphs of addition and multiplication are BFO(BDTC)-de/in- 
able in (N, <). 

Proof. Clearly, 0 and the successor relation S are definable. -I- and • are defined 
via the usual recurrence. 

X -\- y = z := (y = 0 A X = z) 

V [DTC„t,,„/„' u < y Av' < z A Su'u A Sv'v] {yz, Ox) 

X ■ y = z := {y = 0 A z = 0) 

V [DTC„„_„/„' u' < y Av' < z A Su'u Av' -\- x = v] {yz, 00) C 




Bounded Arithmetic and Descriptive Complexity 237 



The previous lemma indicates that it does not matter much which functions 
are present since many of them are definable if the logic is at least as expressible 
as BFO(BDTC). In deed, for such logics, our next result shows that the only 
thing which matters is the growth-rate of the available functions. 

Theorem 7. Let and be sets of functions such that Si = BTSP , the graphs 
of functions in are computable in linear space, 0{n) C Si, and OSi C Let 



X C N. 

(i) X G Dspace[.^] 

(ii) X G Nspace[.^] 
(hi) X G Dtime[2^] 

(iv) X G Ntime[2'*] 

(v) X G Dspace[2-®] 



iff X is LSFOfQDTG)- definable in (N,=^, <). 

iff X is BFO(BTC)-de/inoWe in (N, 

iff X is BFO(BLFP)-de/ino&fe in (N, ^, <) 

iff X is definable in (N, ^, <) 

iff X is BSO-HORN-de/inaWe in (N, <). 

iff X is B'S\-definable in 

iff X is BFO(BFFF)-definable in (N,=^, <). 



Proof. In the formulae defined below we will use addition and multiplication 
whose graphs are definable in all logics mentioned above. In order to keep them 
readable we will use not only their graphs but also the functions themselves. This 
can be done since we only use equations of the form x = t for some variable x 
and term t. Thus all intermediate results are less than or equal to x and we can 
reduce t by introducing new variables y by bounded quantification (3y < x). 

Below the following model of Turing machine is used. A fc-tape Turing ma- 
chine M is given by a tuple {Q, X, A,qo, F) where Q is the set of states, S = 
{0, 1} is both the input and the working alphabet, qo is the initial state, F is 
the set of final states, and 

ACQxExS'^xS'^xQx {- 1 , 0 , 1 }'=+^ 



is the transition relation with components: old state, symbol on the input tape, 
symbols on the working tapes, symbols to write on the working tapes, new state, 
and movement of the heads. 

We prove only two items. The other proofs are similar. 

(i) (=J>) Let M = {Q,E,A,qo,F) be an / space-bounded /c-tape Turing 
machine recognising X. W.l.o.g. assume that Q = {0, . . . ,n}, S = {0, 1}, and 
qo = 0. Choose some ,^-term r{x) such that f{x) < Br{x) for all a; G N. 
Configurations of M can be stored in tuples {q, w, p) where each component is less 
than 2r(x). If there is a formula TRANS(c, c') expressing that the configuration 
stored in c' is the successor of c, we can determine whether a final configuration 
can be reached from the initial one using an DTC-operator. 

(px{x) := {3wi ■ ■ ■ WkPo ■ ■ ■ Pk < 2r{x)) 

\f [DTCgu)p,g/^B/p/ q‘w'p' < 2r{x) A TRANS{qwp,q'w'p')] 

9/^^ {0 0_^F^,qfWi---WkPo---Pk)- 

k fc+1 
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TRANS is defined by 

TRANS{qwp,q'w'p') := 

k 

y (q = iAq' = jA bitao(a;,po) A f\ MOYEmiiPhPi) 

{i,aQa,by,m)^A ^—0 

k 

A f\{3s < wi){3s < pi) {wi = (2s + ai)pi + s' A 

w'l = (2s + bi)pi + s')), 



where 

hitd{x,p) := (3s < x)(3s' < p){x = (2s + d)p + s'), 

{ p = 2p' if m = —1, 
p' = p if m = 0, 
p' = 2p if m = 1. 

(4=) Let X be defined by (fi{x), and let (p{x) be t(x)-bounded. Since ^ = 
BT.'^ there is some r € ^ with log2t(2") < r(n) for all n G N. Thus it is 
sufficient to prove that X G DsPACE[0(log2 t(2"))]. For BFO-formulae this was 
proved in the above lemma. It remains to consider the evaluation of a DTC- 
operator [DTC^j^^ z < s(z) A ip(x,y,z)] which can be done by calculating the 
sequence xq, xi, X 2 , ... of tuples such that ip(xi, Xi+i,z) holds for all i. By induc- 
tion we can assume that this condition can be checked in DsPACE[ 0 (log 2 t(2"))]. 
In order to compute Xj+i we only need to remember Xi. Thus the space to store 
two such tuples is sufficient. 

(iii) (=J>) Let M = (Q, X, A, qg, F) be an / time-bounded fc-tape Turing 
machine recognising X. W.l.o.g. assume that Q = {0, . . . ,n}, X = {0, 1}, and 
qo = 0. Choose some ^-term t(x) such that f(x) < Bt(x) for all x G N, and let 
r(x) = 2t{x) + n. Using least-fixed points we inductively define relations Q, W, 
P containing the whole run of M on input x. For instance, (g, t) G Q means that 
M is in state q at time t. W.l.o.g. we define those relations by a simultaneous 
fixed-point which can always be transformed into a normal one. 

ipx{x) := {3t < r{x)) y [BFP Q apt-,P,pt d* < r{x) A 

apt < r{x) A ijjWi 



apt < r{x) A ipWk 
pt < r{x) A -ipPg 

pt < r(x) AV'pJo(g/f) 
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where 



CONF,,„„a(t) := 

Qqt A {3p < r(x))(3s < a;) (3s' < p){Popt A x = {2s + ao)p + s') 

k 

A f\{3p <r{x)){Pipt AWmpt) 

1=1 

V’q(' 7 .^) := (« = 0 A i = 0) V \J {CONF^^aoa{t - 1) A q = j) 

{i ,aoa ,b ,j ,fh) ^ A 

•il^Wi {a,P^ t) := (a = 0 A t = 0) 

V V [CONF,,,„s(i-l)A 

{i,aQd,b,j,fh)^A 

{3p' < r{x)){Pip'{t - 1) A [{p^p' A Wiap{t - 1)) 

y {p = p' Aa = &/)])] 



i’Pi {P, t) := {p=l At = 0) 



V V [CONF,.,„a(t-l)A 

(i ,aod ,b ,j ,fh) ^ A 

{3p' < r{x)){Pip'{t - 1) A MOYEm,{p,p'))] 



(<1=) Let X be defined by p{x), and let (p{x) be t(a;)-bounded. Since ^ = 
BT ^ there is some r £ with log2t(2”) < r{n) for all n G N. Thus, it is 
sufficient to prove that X G Dtime[ 2®(^°S2 = DTiME[0(t(2”)®(^^)]. To 

evaluate a fixed-point operator [LFP/j ^ x < t{y) A il){x,y)] we calculate its 
stages i?°, R^, B?, ... where by boundedness we only need to consider the part 
ip := i?* n {0, . . . , t{a) — 1}". Thus, can be computed in t(a)” steps from 
W each of which takes time 0{t{a)^^^^ (by induction). Since the fixed-point is 
reached after at most t(a)” stages we obtain a bound of 0{t{a)^^^^ ■t{a)'^ ^{a)^). 

□ 



To apply this theorem we need to define functions of appropriate growth. Let 
X a y '■= 2 r*°S 2 d°S 2 . (Note that # is associative and commutative.) Since 

BT{+,-} =0{n), 

ST{+,-,#} =0(n°W), 

sr{+,-,2"} = r{2”} 

we obtain the results in Table El What happens when no functions are present? 

Theorem 8. Let X C N. The results of the previous theorem also hold for 
■AP = % and = 0(n). 



Proof. The only place where the proofs above fail is the existence of a term r{x) 
providing a bound large enough to store either the complete contents of a tape 
or the position of a cell on the tape. For = 0{n) this term would be r{x) := x'^ 
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Table 2. Logics capturing complexity classes on arithmetic 



Class 


Logic 


Structure 


DsPACE[(2(n)] 


BFO(BDTC) 


(N, <,+,•) 


NsPACE[(2(n)] 


BFO(BTC) 


(N, <,+,•) 


Pspace 


BFO(BTC) 


(N, <,+,-,#) 


Dtime[2®^"^] 


BFO(BLFP) 


(N, <,+,•) 


Ntime[2®1"'] 


BE) 


(N, <,+,•) 


Exptime 


BFO(BLFP) 


(N, <,+,-,#) 


Nexptime 


BE) 


(N, <,+,-,#) 


Dspace[2®^"'] 


BFO(BPFP) 


(N, <,+,•) 


Expspace 


BFO(BPFP) 


(N, <,+,-,#) 


Elementary 


BFO(BDTC) 


(N, 2") 



for some c. Though such an r is not available we can handle values of this size 
by storing each in c variables. Using the (BFO-definable) lexicographic order on 
c-tuples we can then define addition and multiplication as above. □ 



The only property of (N, <, ^) used in the proofs above was the order type 
and the growth-rate of ^-terms. This enables us to generalise the results to ar- 
bitrary structures as follows. Let 21 = (A, <, Rq, . . . , Rr, /o, . . . , fs) be a linearly 
ordered structure of order type lo. For a G A let |a| := { 6 G A | & < a }. If we 
identify elements a G A by the natural number |a| we get the isomorphic struc- 
ture (N, <, Rq, . . . , R'^, /o, • ■ • , f's) to which we can apply our capturing results. 
If the complexity of subsets X C A is measured with regard to the encoding 
a I— >■ |a| we obtain 

Theorem 9. Let 21 = {A, <, Rq, . . . , Rr, fo, . . . , fs) be a linearly ordered struc- 
ture of order type oj such that Ri, i < r, and the graphs of fi, i < s, are 
computable in linear space. Let := {fo, . . . , fs} and let ^ be a set of functions 
such that if is empty then = 0{n), otherwise = BT , 0{n) C and 
C Let XQA. 



(i) X G Dspace[.^] iff 

(ii) X G Nspace[.^] iff 
(hi) X G Dtime[ 2'^] iff 

iff 

iff 

(iv) X G Ntime[ 2'®] iff 

(v) X G Dspace[ 2-®] iff 



X is BFO(BDTC)-de/inaWe in 21. 
X is BFO (BTC) -de/inaWe in 21. 
X is BFO(BLFP)-de/inaWe in 21 
X is definable in 21 

X is BSO-HORN-de/inaWe in 21. 
X is definable in 21. 

X is BFO(BPFP) -de/inaWe in 21. 



So far, we only considered extensions of first-order logic. Next we look at the 
expressive power of BFO. An old result provides an answer in the case of the 
structure (N, <, -I-, •). 
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Theorem 10 (Wrathall E). X belongs to the linear hierarehy iffX is BFO- 
definable in (N, <,+,•). 

As mentioned in jSj, by adding the operator ^ characterisation of PH is 
obtained. 

Theorem 11. X G PH iffX is BFO-definable in (N, 

Proof. (4=) Let X be defined by 

(p{x) = {QoVO <to) - ■■ (Qn-lVn-l < tn-l)lp{x,y) 

where if is quantifier-free. There is some fc £ N such that <f{x) is (2‘°S2^)- 
bounded. Hence each yi {i < n) can be encoded in (log 2 x)^ bits. Obviously, 
quantifier-free formulae if{a) can be evaluated in polynomial time with respect 
to the length of a. Thus, 

X := {x\ Qlyo ■ ■ ■ y) } 

where all quantifiers are polynomial bounded and 

R{x, y) :=yo <to/\ - ■■ /\ y-a-i < tn-i A if{x, y) 

is a PTiME-predicate. Hence, X € PH. 

(=>) By a corollary to Fagin’s characterisation of Nptime, there is some 
ip G SO such that x G X x \= ip iov dll x G {0, 1}+ where x is the word 
model of x. We construct a formula (p{x) G BFO with 

X 1= iff (N, <, 0, 1, -h, •, #) h <^(val(a;l)) 

where val(j/) is the number whose binary encoding in reversed order is y. Define 

<p{x) ;= (3p < a: -I- 1){P2P A x < 2p A ip*{x,p)) 

where p denotes the position of the final digit, 

P 2 X := x = I'd (Vy < a: -I- l)(y I X A y 1 — 7> 2 I y)] 

defines the powers of 2, and (f* is constructed such that 

X ^ ip{Uo , . . ■ ,H„_i,yo, . . . ,ym-i) 
iff (N, <, 0, 1, -h, •, #) h i^*{x,P, uq,..., . . , 2*^"*-!) 

where u, := 2'<>+bPI+-+'fc-iPI'““' | (Zg, . . . , li^_^) g U, }. Define 



{yo = yiT 


II 

0 

1! 


{yo < yi)* 


= yo <yi 


{PyY 


= bit(x,y) 


{Uyo...yk-iT 


= bit(u, yo(yi # p) • • • {yk-i # P # 


hYT 


= -nijj* 


{ipwd)* 


= if*\/-d* 


{3yifr 


= (3y <p){P2y A if*) 


{3Uifr 


= (3u<p#...#p)V^* 
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where bit(x,j/) expresses that the bit of x at position y is 1 

bit(a;, y) := (3s < a;)(3s' < y){x = (2s + l)y + s'). □ 

Theorem 12. X Q N is of elementary complexity iff X is JWO- definable in 

(N, 2"). 

The proof is done by directly coding computations of Turing machines. In this 
case fixed-points are not needed since numbers large enough to code whole runs 
are available. 

Remark 13. The results of Theorems 0(i), (ii), and iia-113 also hold for oracle 
machines if one adds the orcale set as unary predicate to the structure. 

Unbounded fixed-points. Above we met the boundedness requirement for the 
logics considered by an ad hoc definition of bounded fixed-points. Next we will 
investigate under which conditions this can be avoided by using normal (un- 
bounded) operators instead. The first result shows that in many situations it 
can not. 

Proposition 14. Any relation which is FO(DTC)-definable in (N, <,-|-,-) (in 
particular any arithmetic relation) is already JiFOfDTC)- definable in (N, <). 

Proof. Since addition and multiplication are FO(DTC)-definable it is sufficient 
to show how to emulate unbounded quantifiers by DTC-operators. To simulate 
3xip we can enumerate all numbers until some n with ip{n) is found. Formally, 

3x(f = [DTCa;,x' A x' = a; -I- 1) V {<p{x) Ax' = 0)](0, 0). □ 

In contrast, for purely relational structures a positive result is obtained. Note 
that the proof above shows that it does not hold for transitive-closure operators. 

Proposition 15. Let 21 = {A, <, Rq, . . . , Rm) be a relational structure of order 
type uj, and let X U A^ . 

(i) X is FFFOfLFF) -definable if and only if it is FFO(BLFP)-definable. 

(ii) X is FFOfPFP) -definable if and only if it is PFOfBPFP) -definable. 

Proof. (<t=) is trivial. For (=>) consider the stages i?°, R^, ... of the fixed-point 
induction of ip{y,z) := [LFP/j^j ip{x,y)]{z). Since all bounds are of the form 
u < V for variables u and v the decision whether x € depends only on 

values of i?* for arguments less than 

t := maxjxo, . ■ . , a:„, yo, ■ • ■ y™, zq,..., zi}. 

In particular, the value at position z only depends on lower positions. Therefore 
we can replace the operator by an bounded one. 

V’(2/, ^) = V ^ xiVi)) V \f (max( 2 ;i, y, z) A x{zi)) 
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Table 3. Logics capturing complexity classes on arithmetic 



Class 


Logic 


Structure 


Link 


BFO 


(N, <,+,•) 


PH 


BFO 


(N, <,+,-,#) 


DsPACE[(b(n)] 


BFO(BDTC) 


(N,<) 


NSPACE[(b(n)] 


BFO(BTC) 


(N,<) 


PSPACE 


BFO(BTC) 


(N,<,#) 


Dtime[2®A)] 


BFO(BLFP) 


(N,<) 


Ntime[2®1"1] 


BE( 


(N,<) 


Exptime 


BFO(BLFP) 


(N,<,#) 


Nexptime 


BE( 


(N,<,#) 


Dspace[2®A)] 


BFO(BPFP) 


(N,<) 


Expspace 


BFO(BPFP) 


(N,<,#) 


Elementary 


BFO 


(N, 2") 



where max(M, y, z) := /\^ j/fc < u A /\j, Zk < u says that t6 is a maximal element, 
and 



X{u) := [LFP_r_2 xo<uA---AXn<uA (p{x, y)]{z) 

is the bounded version of the LFP-operator. The proof for BFO(PFP) is identi- 
cal. □ 

The characterisations of standard complexity classes we have obtained is 
summarised in the table above. The results remain valid if we add any relations 
or functions computable in the respective class. In particular we may add 0, 1, 
-h, and •. Also the structure (N, <) may be replaced by any linear order (A, <) 
of the same order type. Similarly, (N, <, #) may be replaced by (A, <, /) where 
2iog^|a| < for some c, d > 1. 



4 The Free Monoid and Low Complexity Classes 

So far, we have obtained only characterisations of high (above Ptime) complexity 
classes. Intuitively, this was caused by the fact that, in arithmetic with the usual 
order, numbers of n bits have about 2” predecessors. If we are interested in 
low complexity classes we thus have to choose a different order. In the classical 
approach variables can range over n positions in a word model of length n. 
Therefore, we next consider the free monoid with prefix-ordering where words 
of length n have n predecessors. 

Definition 16. Let T := ({0, 1}*, cto, cri, a) where 

Oixy : iff y = xi, and x < y : iff y = xz for some z ^ e. 

It turns out that this choice enables us to translate many of the classical 
results to our setting and vice versa. Let Af consists of the following logics: FO, 
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FO(DTC), FO(TC), FO(LFP), FO(PFP), S}-Horn, S}, SO-Horn, and SO. 
For £ G .if denote by B£ the corresponding bounded version. 

Theorem 17. Let X C {0, 1}+ and £ G jSf . The following statements are 
equivalent: 

(i) There is some (p G £ such that w G X iff w\= ip. 

(ii) There is some (p{x) G B£ such that w G X iff £ \= ip{w). 

The familiar results of descriptive complexity theory can thus be stated as 
Corollary 18. Let X C {0,1}*. 



(i) X G Logspace iff X is UFOfBDTG) -definable in T 

(ii) X G Nlogspace iff X is JiFOfBTC) -definable in T 

(iii) X G Ptime iff X is FFOfBFFP) -definable in T 



iff X is FF,\-FIorn- definable in T 
iff X is FSO-FIorn - definable in T. 



(iv) X G Nptime 

(v) a: G PH 

(vi) X G PSPACE 



iff X is FFFi\- definable in T 
iff X is FSO -definable in T 
iff X is FFOfBPFP)- definable in T 



The proof of Theorem ^3 is divided into two propositions. 

Lemma 19. For every p> G £ there is some <p*{x) G B£ such that, for all 
w G {0,1}+, w\= ip iff £ \= ip*(w). 

Proof. We construct ip*{x) such that for all subformulae if the following condi- 
tion is satisfied: 



x^if{Xo,...,Xr,,Vo,...,ym) iff %^r{x,X*,...,Xl,yl,...,y*J 

where y* is the prefix of x of length yi, and X* contains a tuple of prefixes of x 
iff the tuple of their lengths is in Xi. In the following definition variables named 
y, 2/oj stc. are bounded, whereas x is the only free variable. 



(yo = yiY ■■= yo = yi 

(Py)* ■- (3y' ^ x)aiyy' 

{yo < yiY '■= yo -< vi 
{XyY := Xy 

([(D)TC^_, YUmy ■■= [(D)TC 



i-YY 


:= ^Y* 


(V'Vz?)* 


:= Y* V -(?* 


{3yYY 


:= {3y -< x)Y* 


{3XYY 


:= {3X)Y* 


Vo X A ■ ■ 


■ A Vk-i < X A Y*WY') 



([XFPi^^a Y]{t))* ■= u < x A ■ ■ ■ A Uk-i ^ x A Y*]{i) 



Lemma 20. For every ip{x) G B£ there is some ip' G £ such that, for all 
w G {0, 1}+, T h t{w) W w\= ip'. 
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Proof. Note that, since <f{x) has only one free variable x, all bounded variables 
are prefixes of x. Thus, it again is sufficient to ensure that 

H ^0; • • • 5 UOt ■ ■ ■ 1 Vm) iS X \= tp (Aig, . . . , Ai„, |?/o | , . . . , | J/m |) 

where the definition of AT' is slightly more involved since there are |a;| + 1 prefixes 
of X, but only |x| elements in x. Therefore, we double the arity of Xi and define 

^'i •= { (%0^01) ■ • • I ■^fcO^Icl) I (“0) • ■ • , Uk) G Xi} 

where 

^ (|a;| — 1, |x| — 1) ifuj=x. 

In the following definition variables named y, yo, etc. are bounded, whereas 
X is the only free variable, t stands for an arbitrary term which can either be on 
of y, X, or one of y, min, max. Furthermore, P^t is Pt for z = 1, and ~'Pt for 
i = 0. 



{yo = yi)' 


= 2/0 = 2/1 


(CTi2/o2/i)' 


= Sy^yi A P*2/o 


{y = x)' 


= false 


(CTjXt)' 


= false 


(x = x)' 


= true 


(<XiyxY 


= y = max A P'y 


(yo -< yiY 


= 2/0 < 2/1 


(y -< xY 


= true 


(x -< t)' 


= false 






{-YY 


= —lip' 


{{3yo A yi)ipY 


= 32 / 0 ( 2/0 < 2/1 A Ip') 


(ipWdY 


= ip'y^' 


{{3y -< x)ipY 


= 3yiP' 


(3XV)' 


= BX'^^iP' 


7 

o 


II 

1 



where 



J if f = y. 

1 max max if t = x. 

([(D)TCg_5 Vo A to A • • • A Vn-i -< tn-i A := 

[(D)TCg g Vo < to A • • • A v„_i < tn-i A ■;/''](?, t") 

Mo ^ fo A • • • A M„_i ^ tn-i A ■■= 

[XFPr^u Mo < to a • • • a m„_i < t„_i A ip']{t') 



□ 



Remark 21. (i) The preceding results can be generalised to formulae with several 
free variables. 

(ii) Nothing changes if we replace ao, by the corresponding functions or 
even add concatenation. For the last part note that for all variables y appearing 
in a formula <.p{x) there is some k such that y ranges over values of the form 
yo‘ ‘ ‘ Vji j < k, where the yi are prefixes of x. Hence the value of each y can be 
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Table 4. Logics capturing complexity classes on the free monoid 



Class 


Logic 


Structure 


AC° 


BFO 


(T, bit) 


Logspace 


BFO(BDTC) 


T 


Nlogspace 


BFO(BTC) 


T 


Ptime 


BFO(LFP) 


T 


Nptime 


BE} 


T 


PH 


BSO 


T 


PSPACE 


BFO(PFP) 


T 



stored in a fixed number of variables and we can eliminate concatenation by its 
BFO(BDTC)-definition. 

(iii) Since T is relational bounded LFP- and PFP-operators can be replaced 
by unbounded ones as in the case of arithmetic. 

(iv) If one adds to 1 either the relations \x\ + \y\ = \z\ and |x| • \y\ = \z\, 
or the relation hit{x,y) saying that the bit of |cc| is 1, and considers word 
models with analogous predicates, we also can characterise the class AC°, i.e., 
A C {0, 1}* is in AC° iff X is BFO-definable in (T, bit). 
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Abstract. We consider Hintikka et al.’s ‘independence-friendly first- 
order logic’. We apply it to a modal logic setting, defining a notion of 
‘independent’ modal logic, and we examine the associated fixpoint logics. 



1 Introduction 

Modal and temporal logics have a long history as system specification languages 
in computer science, and computer scientists’ study of temporal logic has gen- 
erated many interesting theoretical developments, as well as many important 
practical advances. The logics in question typically describe properties of execu- 
tion paths of systems, either explicitly, as in LTL and CTL, or via a ‘next-step’ 
operator and fixpoints, as in the modal mu-calculus. 

Another major issue in computer science is concurrency. The theoretical and 
practical analysis of concurrent and distributed systems also has a long history. 
Probably the most successful approach to understanding concurrency at a funda- 
mental semantic level is the use of ‘independence models’, in which certain events 
are stated to be independent of other events, and the associated partial order 
semantics, in which a partial order of causality is established between events. 
There have also been several major practical advances in exploiting partial order 
structure, such as stubborn sets and sleep sets m and unfolding techniques m- 

Naturally, one wishes to have modal and temporal logics for concurrent sys- 
tems. There are several ways to apply the paradigm of normal temporal logic, 
typically by working on event structures, or similar models, and having explicit 
operators representing concurrency or independence: see m for a survey of such 
logics. In some models, and therefore in the associated logics, the notion of in- 
dependence is abstract; in others, it is more concrete, perhaps derived from a 
notion of location; but in all cases it inheres in the model rather than the logic. 

However, there is also a notion of inherent independence in logic, which seems 
quite natural when specifying concurrent systems, but which has not, with one 
notable exception, received much attention in concurrency theory. 

In 1961, Leon Henkin introduced the quantifier vui«> which is intended 
to mean that the choice of y depends only on x, not on it; and similarly the 
choice of v depends only on u; a formal semantics is given by using suitable 
Skolem functions. 

The Henkin quantifier and its generalizations received some attention: the 
main papers were at the beginning of the 70s, by William Walkoe and 
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Herbert Enderton j2|, and later also by Krynicki and Barwise. It was shown 
that suffices to express all partially ordered or branching quantifiers (that is, 
quantifiers where the dependence of variables need not be simply linear). More 
recently, Georg Gottlob has looked at generalized quantifiers, including y|, for 
capturing complexity classes. 

In the last few years, logicians, in particular the (Boston and) Helsinki logi- 
cians Jaakko Hintikka, Gabriel Sandu and Jouko Vaananen, have returned with 
a vengeance to the study of ‘independent’ quantifiers as a basic logic, rather than 
a specialist extension, and Hintikka and Sandu m have gone so far as to claim 
that their absence from Frege’s logic was a ‘fundamental error’, a ‘horror’, and 
to claim that their reintroduction heralds ‘a revolution in logic’ (albeit with a 
question mark in the title) . It is not necessary to accept this thesis to accept that 
‘independence-friendly first-order logic’ (IF-FOL) is an interesting, and natural 
pMlj logic. For example, when considering the development of systems by sev- 
eral designers working independently, the notion of independent choice seems 
natural, and may reasonably form part of any language for discussing properties 
of such designs. At a more concrete level, different components of a distributed 
system cannot be assumed to have full knowledge of other components, and so 
cannot make fully informed choices. 

In this paper, I suggest that the use of modalities based on Henkin quan- 
tifiers gives an approach to independence in concurrency which complements 
the model-based independence usually used. I start by outlining the work on 
independent quantifiers; I then give a natural modal logic using independent 
quantification, and relate it to other work on logics for distributed systems; I 
define the obvious fixpoint extension, and consider complexity issues and the 
extent to which the usual theory transfers. I then return to the first-order inde- 
pendence logic giving our metalanguage, and consider briefly the interpretation 
of fixpoints there: which is not a trivial question. Finally, I raise the problem 
of more general modal fixpoint logics based on independence. Owing to space 
constraints, proofs are generally omitted or just sketched, unless they are of 
particular interest. 

2 ‘Independence-Friendly’ First-Order Logic 

By FOL+ we mean first-order logic in positive form: that is, negation is applied 
only to atomic formulae, and both operators of the dual pairs V/A and 3/V 
are considered primitive; FOL denotes the usual logic where negation is not so 
restricted. FOL+-fQ denotes the logic where the additional operator Q appears 
only positively. We use similar notation for other logics. 

2.1 Partial Quantifiers a la Henkin 

A branching quantifier Q is a set {x\, . . . , Xm, J/i, • ■ ■ , 2/n} of variables, carrying 
a partial order the Xi are universal, the yt existential. The semantics of Q4> 
is defined to be that of 3/i . . . fn-'ix\ . . . Xm- 4>[fi{Uif) / Vi ] , where yif is the list 
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of variables ^ yi, and [•/•] denotes syntactic substitution: thus fi is a Skolem 
function for yi, but it refers only to variables preceding yi in the partial order. 
In particular, the Henkin quantifier = {xi, 0 : 2 , j/i, 1 / 2 } with Xi -< yi is 

written 2/; is equivalent by definition to 

3/, g. Vx, u. (fix, fix), u, giu)). 

Fact 1 . The following are the basic properties of branching quantifiers. 

1. Any formula Qcf where Q is a branching quantifier and cf is FOL+ is equiv- 
alent to a formula of FOL+-|-y|. p3igj . 

2. By definition, any FOL+-|-y| formula is equivalent to an existential second- 
order formula. 

3. Moreover, any existential second-order formula is equivalent to a formula of 
FOL+-|-y|. (This is because the formula can be ‘unskolemized’ using y|: for 
example, the assertion that there exists an injective function which never 
takes a particular value c, which being true only on infinite structures is not 
first-order, can be written as 3/. Vx,u. (/(x) = /(m) => x = u) A (/(x) yf c); 
and this can be written using y| as y^|((.(x = m => ?/ = u) A (y = u => x = 
m) A (y c).) 

4. It follows via Fagin’s Theorem that on finite structures FOL+-|-y| expresses 
NP-hard properties in fact, as one would expect, FOL-|-y| captures 

m- 

2.2 Partial Knowledge Games and Qnantifiers d la Hintikka 

An alternative way of giving semantics to branching quantifiers is via games. 
Recall the Hintikka model-checking game for FOL+: given a formula ip and a 
structure M, a position is a subformula (fix) of if together with a deal for (f, that 
is, an assignment of values v to its free variables x. At a position i\/x. (fi,v), 
Abelard chooses a value v for x, and play moves to the position i(f\,v ■ u); 
similarly Eloise moves at 3x. (f. At (fi A (f 2 , Abelard chooses a conjunct; and at 
(fi V (f 2 , Eloise chooses a disjunct. A play of the game terminates at (negated) 
atoms Pix) (resp. -•Fix)), and is won by Eloise (resp. Abelard) iff P(x) is true 
with the current deal. Then it is standard that M \= (f exactly if Eloise has a 
winning strategy in this game, where a strategy is a function from sequences of 
legal positions to moves. 

These games have perfect information; both players know everything that 
has happened, and in particular when one player makes a choice, they know 
the other player’s previous choices. Game semantics for the Henkin quantifiers, 
following [1 2j . use games of imperfect information: in the game for y^^y(f, when 
Eloise chooses for v, she does not know what Abelard chose for x. To make 
this explicit, the logic is written with a more general syntax which is linear 
rather than two dimensional. We here use Hodges ’ H31 syntax, which addresses 
certain flaws in Hintikka’s; and for reasons of space and simplicity, we omit some 
operators in this version. 
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IF-FOL+ is obtained from FOL+ by modifying the syntax of quantifiers to 
be Vx/VF. and 3xjW., where VF is a set of variables. The intention is that 
W is the set of independent variables, whose values the player is not allowed 
to know at this choice point. Thus the Henkin quantifier can be written 
as 'ix / 0 .3y / 0 ,'iu/ {x^y} .3v / {x,y} . Henceforth we freely omit set braces and 
write just Vx. for Vx/0. We shall also, again for reasons of space and simplicity, 
consider only the independent 3, leaving the dualization for independent V to the 
reader (or see m- The adapted model-checking game, where the information 
is restricted, can be shown to characterize the Skolem function semantics in the 
sense that Eloise has a winning strategy iff the formula is true. However, these 
games are not determined, so it is not true that Abelard has a winning strategy 
iff the formula is false. For example, ^^x = y (or Vx. 3yjx. x = y) is false in any 
structure with more than one element, but Abelard has no winning strategy. 



3 Henkin Modal Logic 

For a concurrency theorist, it is natural to see the model-checking game for 
not as a game of imperfect information, but as a concurrent game: at th® 

game splits into two independent concurrent components: in one component 
play proceeds with Vx. 3y. , in the other with Vu. 3u. , and then the components 
join to proceed with cj). This also seems a natural statement to want to make 
about concurrent systems: a choice in one component should not even be able 
to depend on a concurrent choice in another! However, until recently all modal 
or temporal logics enforced logical dependence of choices. 

Example 2. In the children’s game Scissors-Paper-Stone, the two players (say 
Abe and Elly) each put one hand behind their back, and make it either open (Pa- 
per), a fist (Stone), or a V-sign (Scissors). The two players then simultaneously 
bring forward their hands. The round is won according to the rules: Scissors cut 
Paper, Paper wraps Stone, Stone blunts Scissors (if both players choose the same 
object, the round is drawn). Can we ask the question ‘can Elly always win?’? 

If we formalize the game by seeing Abe as choosing between the three ac- 
tions A = {sc^,pa^, stA}, and similarly for Elly, and viewing the game as their 
independent concurrent composition with final states that satisfy Ewins when 
Elly wins, we can approximate the question by \A\{E) Ewins /\ {E)[A\Ewins . This 
expresses that Elly can win on all interleavings; it is (correctly) false, but it is 
false for the wrong reason: that {E)\A\Ewins fails, means that after Elly chooses, 
Abe can, with knowledge of that choice, make her lose, which mis-models the 
situation. 

If we formalize the simultaneity by using a synchronous concurrent compo- 
sition, there is, in normal modal or temporal logics, no way to ask the question 
at all, since only one action (the simultaneous choice) happens. 

Of course, with an eye on Henkin quantifiers, the obvious answer is to define 
a modality so one can write Ewins ^ with the intended meaning. 



Independence: Logics and Concurrency 251 



Recently, Alur, Henzinger and Kupferman have implicitly taken this ap- 
proach in their Alternating Temporal Logic, apparently without awareness of 
Henkin quantifiers: they express, rather, their logic directly in terms of games 
and strategies. We shall now define a simple logic of Henkin modalities; a frag- 
ment of this provides a generalization of ATL, and also includes several other 
distributed logics. 



3.1 A Distributed System Model 

First let us define a notation for system models that, although by no means 
the most general possible, is sufficient for all our examples. Given an algebra 
Act of basic actions, sequential components P are built from non-deterministic 
choice Pi + P 2 , action prefix a. Pi, and mutual recursive definitions P = Q{P). 
Systems are defined as a parallel composition ||fPi of n components; Act± = 
ActU{_L} where _L is the ‘non-action’ or idle action, and S C Act" x Act gives the 
synchronization rules by \\f Pi \\f P( (where a £ Act) iff each Pi P' (for 

Oi G Actj_) and also 5(ai, . . . , a„, a). We also write \\fPi Ilf P/ , particularly 
in the case when 5 is a function Act" — >■ Act. 

This model gives a convenient notation for various distributed automata 
formalisms, or for finite state CCS or CSP (by adjusting the synchronization); 
and a slightly less convenient notation for arbitrary finite 1-safe Petri nets, by 
taking each place as a two state component and using S to code the transitions. 
The alternating transition systems of Q can also be coded into this notation. 



3.2 Henkin Modalities 

We now define Henkin modal logic (^L) on such a system thus: in addition 
to ML+, that is, basic modal logic in positive form, we have the concurrent 
modalities of the form {^j^i „ Qj(Aj) . . . Q™(A™), where Qj(Aj) is either [A^] 

or (A^), and Aj C Actj_; the length of the modality is m. We shall sometimes use 
’ to mean ‘Act’ in modalities. These modalities are given a semantics in terms 
of the corresponding first-order Henkin quantifier. This is notationally tedious 
to write out, so we just give the semantics of the length 2 Henkin modality [] || 
on a 2-component system, by way of example. (We write in Henkin style 

for the formal (|A](P) ® [C]{D)).) 



PlfP2^ 



[^1] (Bi) 

[A 2 ] (P 2 ) 



holds iff 



Voi £ Ai, P{ 3Pi £ Pi, P"/ p iiS p \ 

Va2£A2,P^3/32£P2,Pr'" ^ 






{Pi 



i//||S 



P 2 ) 



Note that by definition 



H 

M 



L does not include the duals of the Henkin modalities. 
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Let ^L„ denote the sublogic where the modalities have length at most n. 
^Li with the addition of fixpoints (see later) includes many existing distributed 
modal logics. 

Example 3. The indexed transition systems of Andersen [2| take the form of 
systems ||f<i<„Ti, where 5(ai, . . . , a„, a) iff there is some k such that Uk = a 
and all other are _L. (The systems move one component at a time.) Then in 
Andersen’s ‘polyadic mu-calculus’, the indexed modality [a]k is in our notation 
(8)J ai] where ak = a and the other ai are all T. 

Example 4. The distributed net systems used by Huhn, Niebert and Wallner 
m are systems where each Pi is a sequential Petri net, and S defines 

the synchronization of common transitions. The transitions are labelled, which 
we may express either by using instead sets of transitions, or by letting S map 
local transitions to global labels rather than to global transitions. Their logic is 
defined locally via an event structure style semantics, so that the basic modality 
is {a)j4>, where J C {!,... ,n}; this is true at a local state of Pi, for j S J, if a 
(which must share some location with J) can fire as an immediate action of the 
J processes, possibly with non-J actions happening first, and then (j) holds. 

Such a modality is not expressible in ^Li without fixpoints, since we have an 
interleaving, global semantics, but with fixpoints it is just fj,Z.{a)(j>\/ {^^{Ai))Z, 
where Ai is T for i G J and Act± otherwise. 

The previous examples are merely using the idea of location; to use the power 
of independent quantification, we need: 

Example 5. The alternating transition systems of P are an unlabelled setting. 
An ATS is a global state space Q, shared by n agents Pi. Each agent has a 
transition function : Q 2^ . At a state q, each agent chooses Qi G 5i{q). 
It is required that for all such choices, fji Qi is a singleton set {q'}, and this 
determines the next state of the system. Thus the intuition is that each agent 
chooses its desired successors, independently of the others, and the system moves 
to the one state they all desire. 

To encode this in our setting, it is easiest to make the choice an explicit local 
transition happening before the move to the next state. So we take each agent 
Pi to be a transition system with state space QVJ2‘^ , with transitions q — ^ Qi 

(where r is a dummy label) for every Qi G Si{q), and Qi q' for every q' G Qi 
(note that q' is also being used as a label) . The synchronization algebra S is then 
the diagonal on Q U {r}, and one move of the original ATS corresponds to two 
moves of our system \\f Pi- Thus the reachable states of our system have the form 
{q,q, . . . , q) or {Qi , . . . , Qn), and the requirements on the ATS transition function 
mean that there is exactly one transition from any reachable (Qi, . . . ,Qn), to 
the unique {q' ,q' q') with q' G Qi- 

The Alternating Temporal Logic of (Q is like CTL, except that the path 
quantifiers are not just V and 3, but have the form ((E)), where E C {1, . . . , n}. 
The interpretation is that, given a path formula (j) (for example, Fip, ‘eventually 
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tjj’), {{E))(f) is true if the agents E can choose their successors to make (p hold on 
all paths, regardless of how the other agents E choose their successors. In other 
words, the E agents can win the path game defined by cp. 

This logic is then in turn defined as a fragment of a suitable mu-calculus, 
just as CTL is defined in the usual modal mu-calculus. The P| mu-calculus has 
the basic modality ((if)) Q where Q is the ‘next’ operator, interpreted as just 
described. 

Now in our encoding, this modality is just ({^- Qi){—)p, where Qi is (r) for 
i G E, and [r] otherwise. 

Remark 6. A referee suggests that my presentation of on distributed sys- 
tems obscures that fact that it is a natural fragment of IF-FOL just as ML is a 
natural fragment of FOL. There is some force in this, but there is a counter: if 
one defines the modalities without reference to locality, one must use a model 
such as ATS’s in which locality is encoded by means of sets of possible next states 
for each agent. It is arguable that the ATS model is less natural than the usual 
models, and also that the distributed modalities are themselves more natural for 
the user that a pure Henkin quantifier. A fuller discussion of this point requires 
further analysis of guarded and finite-variable fragments of IF-FOL, which, as 
far as I know, has not yet been done. 

3.3 Adding Fixpoints 

We have already used fixpoint notation above; to justify this, it suffices to note 
the following fact: 

Proposition 7. A Henkin modality defines a monotone operator on sets of 
global states. Therefore least and greatest fixpoint operators ean he added to 
as in the normal modal mu-ealeulus: eall this P-^L. 

Because we are defining interpretations as sets of global states, some of the 
usual theory carries through trivially: for example. 

Proposition 8. The usual simple complexity upper bound applies: given a p^L 
formula (p of length m and fixpoint alternation depth d, and a system of size n 
(meaning here the number of global states plus the number of transitions), the 
complexity of determing whether s\^ <p is 0{m ■ H ■ n‘^), where H is the cost of 
evaluating a basic modality or boolean. 

In normal modal mu-calculus, H is 0(n); we consider below what H is for 
Henkin modalities. 

Other parts of the theory can be made to carry through in a rather uninter- 
esting way, by ignoring the concurrency and using rather the Skolem semantics: 

Proposition 9. Consider the tableau model- checking system of and add 
rules for the Henkin modalities in the following form: 

■Si||s2 ([^i](-^i) O [A2]{B2))<P 

Sll||s21 (p. . . Sim\\s2m b <P 
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where the states on the bottom are given by: for every Ai successor of s\ there 
is some Bi successor sij of s'^, and similarly for the second component, such that 



II / II / ^10^2 II 

Sl||S2 Sll|S2 Sij\\S2j. 

Then the resulting tableau system is sound and complete. 



Other parts do not carry through so easily: for example, the relationships with 
automata and parity games, where one must extend the usual frameworks with 
either second-order moves or Henkin quantification in the winning conditions. 



3.4 Cost of Henkin Modalities 

As we remarked above, the usual complexity analysis carries through, but de- 
pends, of course, on the cost of evaluating the modalities. 

Proposition 10. The cost of evaluating a Henkin modality of length 1 is 0{n^). 

Proof. To check si||s2 G |([A] 0 (i?))(^], it suffices to try in turn each of the 0 (n) 
possible S-successors of S2 and check whether all the so chosen A ® B-successors 
are included in |</)]. □ 

The result of this is that is not significantly worse (in theory!) than 

normal modal mu-calculus. However, since it is also a slight generalization of 
the AMC of P, the complexity hardness results there can also be applied to 
/tJJLi, giving, for example, P-hardness (rather than the NL-hardness of modal 
mu-calculus) . 

When we move to real Henkin modalities, things become more expensive. As 
we know that first-order Henkin modalities are NP-complete, we might expect 
this; but we might also hope that the restricted quantification involved in modal 
logic reduces the complexity. Unfortunately, this is not the case: 

Proposition 11. Model- checking ^^2 is NP-hard (and obviously NP). 

Proof. There is a direct reduction (with thanks to Perdita Stevens) from CNF- 
SAT, which illustrates the use of the Henkin modalities quite nicely, and so is 
worth giving in full. 

Consider an instance <P of CNF-SAT: it has the form where 

Ci — Vi<j<rai and each £ij is Vk or -<Vk for one of the r variables Vk. 

We now define a system with two components: the first represents the for- 
mula, the second a choice of variable assignment. Let D = X)i<i<m c-Q, and 



Ci B'lld Lij ^kt Cij Vk-f if ^ 

Let A = and Vk = d.v^.i Vd.v^.f . 
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Now let S be the synchronization algebra given by a 0 a = r, and sym- 
metrically, for every a G {c,d,Vk,t, f}, and let P = D\\^ A. (In standard CCS 
notation, this would be {D \ A)\{c, d, Vk, t, /}.) Note that the size of this system 
is at most quadratic in the size of (p. 

Now we claim that P \= [zj |z|[T](r)tt iff <P is satisfiable. 

Firstly, suppose d> has a satisfying assignment S. In the game for |z] Eloise 
plays the following strategy: in the top half, in response to Abelard’s choice of 
Ci, she chooses any Lij made true by S' - such a literal exists, by definition 
of satisfying assignment. In the bottom half, in response to Abelard’s choice of 
Vk, she chooses Vk-t or Vk.f according as Vk is true or false in S. The resulting 
process is then Vk' -{t/ f)\\^Vk.{t/ f) according as £ij is Vk' or ~^Vk', and as Vk is 
true or false. If k' yf k, then the process is deadlocked, and so satisfies [r](r)tt. 
If k' = k, then since Eloise chose Lij to be true in S, the left hand process has 
t iff the right hand process has t, and so again the process satisfies [T](r)tt. 

Conversely, if P N |l] |l|[T](r)tt, then Eloise’s strategy for [l] defines, in 
the bottom half, an assignment S, and in the top a selection of one literal Lij. 
for each conjunct Ci, such that the literal is made true by the assignment; so S 
is a satisfying assignment. □ 

So it appears that the Henkin modality is exponential to check. This has two 
apparent consequences: it means that one might reasonably argue it is useless, 
even if there are natural properties to be expressed with it; and it means that 
the fixpoint alternation depth is no longer the dominant factor in the combined 
complexity of model-checking. 

The first consequence is in any case rather dubious - worst-case complexity 
may or may not have any relevance to practical complexity, as demonstrated by 
the practical utility of the theoretically non-element ary Mona system - but both 
consequences can be mitigated if systems have certain structure. 

Given a system in our framework, define the local size to be the maximum 
of the sizes of the individual components. 

Proposition 12. In a k-component system with local size d, evaluating a Henkin 
modality of length 2 costs 

Proof. Brute force exploration of all the possible ‘Skolem functions’: in each 
component there are at most d‘^ possible local strategies in the local []() game; 
to check that a candidate fc-tuple of local strategies satisfies the formula costs 
at most df ■ df. Thus the total cost is □ 

In a loosely coupled system, the global state space is of size d^; thus as 
the number of components increases, the exponential of the Henkin modality is 
absorbed by the exponential of the state space explosion, rather than adding to 
it. 

The fact that the Henkin modality in the worst case dominates fixpoint 
complexity raises the question of the fixpoint alternation hierarchy for finite 
models. In the infinite case, this question can be solved by extending previous 
techniques. 
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Proposition 13. For ^^^2 on infinite models (and even on 2-eomponent sys- 
tems), the fixpoint alternation hierarchy is strict. 

Proof. If one considers arithmetic with fixpoints and the Henkin quantifier, the 
fixpoint alternation hierarchy is strict - see the next section. Then a natural 
extension of the techniques of jSI , in which a Henkin modality is used to encode 
a first-order Henkin quantifier, transfers this hierarchy to Mm ^2 on 2-component 
systems. □ 

However, for this result to transfer down to finite models, we would need 
the finite model property for Mm ^2 ond its closure under negation. One can see 
that: 

Proposition 14. Given a finite action set, fixed number of components, and 
given synchronization algebra, then if a Mm ^^2 formula has a countably infinite 
model, it has a finite model. 

Proof. The elegant proofs of the modal mu-calculus finite model property do not 
easily transfer. However, the brute force construction of a finite model by surgery 
on the unravelling, does transfer: essentially one builds an infinite tableau (using 
the tableau rule given in Proposition 0 for the Henkin modality); then removes 
all branches that are not required to exist by a diamond modality; and then looks 
for repetitions of the same set of subformulae annotating a state (after defining 
a suitable notion of subformula for the Henkin modality) . Closing repetitions to 
form loops gives a finite (albeit large) model. □ 

Unfortunately, I cannot see how to obtain this result for the dual of the 
Henkin modality, if indeed it holds. 

4 IF-FOL and Fixpoints 

4.1 Fixpoints and the Henkin Quantifier 

We return now to the general setting of first-order logic. As we remarked in the 
last proposition, there is no great difficulty in combining a simple Henkin quan- 
tifier with fixpoints: is just another monotone operator. Getting a handle on 

the expressive power is less trivial. Consider LFP+-|-v|, that is, first-order logic 
with fixpoints in positive form, plus the Henkin quantifier occurring only posi- 
tively, and consider the structure of arithmetic. The Henkin quantifier itself has 
S} power, so a formula of the form p,{z, for first-order is at worst a 

fixpoint over Sj, which is at worst in the normal fixpoint hierarchy (because 
S} = H)*: Kleene’s theorem). However, it is not immediately obvious that, say, 
Vu is well-behaved; naively, it might be Y\. Of course, it is not, be- 

cause the fixpoint is parametrized on the variables x, y, u, v, and cannot actually 
refer to the defined Skolem functions. The key to analysing the expressive power 
is to extend the normal form results of with the 
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Lemma 15. In arithmetic (or other structures with suitable coding power), a 
Henkin quantifier can be pushed inside a fixpoint operator. 

As corollaries of the normal form and existing theorems [h|7j on the power 
of fixpoints, one obtains 

Corollary 16. The fixpoint alternation hierarchy for LFP^ +y| (on arithmetic) 
is strict. 

Corollary 17. LFP^ is no more expressive than LFP^ (on arithmetic). 

and in fact both these apply to LFP+y| as well; adding the dual is not prob- 
lematic. The latter result contrasts sharply with the position on finite models, 
where a single y| is stronger than fixpoints, unless P = NP. 

4.2 Fixpoints and Pull IF-FOL 

Now consider the full independence-friendly logic, with the linear syntax al- 
lowing arbitrary specification of independence in quantifiers. We described the 
Skolem function semantics, and the game semantics of Hintikka. These seman- 
tics have the problem that they are not compositional, and in particular they 
give no meaning to a formula such as ~^yjx. 4>, which occurs as a subformula of 
\fx.3yfx.(j) (alias Hintikka and Sandu |I21 thought that this was an in- 

evitable fact, and Hintikka even went so far as to say that ‘no perverse ingenuity’ 
could produce a compositional semantics. So Wilfrid Hodges m promptly gave 
a compositional semantics. This allows us to add fixpoints freely in the usual 
way (call the result IF-LFP, ‘independence-friendly least fixpoint logic’), but at 
an (apparently) considerable price: the interpretation of a formula with free vari- 
ables is no longer just a set of value tuples, but a set of sets of tuples. For the 
formal semantics, recall the definition of the syntax in section E2I- which is, for 
simplicity, a fragment of the full logic. We will give, using Hodges’ terminology, 
the semantics for this fragment. 

Let mean that x is all the free variables of 4> without repetition. Given 
a structure A, a deal for (f is an assignment of an element of A to each variable 
in X. The interpretation of a formula is the set of its trumps, defined as follows. 

— If P{x) is atomic, then a non-empty set X of deals is a trump iff every deal 
in X satisfies P. 

— A is a trump for {cj> A ip){x) iff A is a trump for (f>{x) and A is a trump for 
iP{x). 

— A is a trump for V ip){x) iff it is non-empty and there are trumps U of (f> 
and V of tjj such that every deal in A belongs either to U or V. 

— A is a trump for \/y. i({x, y) iff the set { a& | a S A, 5 G A } is a trump for 
Ip. 

— The interesting case is the existential quantifier (and, in the presence of 
negation, the universal quantifier). Given (p{x) = 3y /W.ip{x,y) (where W 
is a subset of the variables x), say that two deals are LF-equivalent iff they 
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agree on all variables not in W. Say that a non-empty set X of deals is a 
Vb-set if its members are pairwise Vl^-equi valent. Then a set X of deals for 
(/) is a trump iff: there is a trump [/ for ip such that for every IT-set Y C X 
there is a 6 such that {ab\aGY}CU. 

A trump for </> is essentially a set of winning positions for the model-checking 
game for (p, for a given uniform strategy, that is, a strategy where choices are 
uniform in the ‘hidden’ variables. The meaning |(/)] of a formula is then defined 
to be the set of its trumps. 

It is easy to see that any subset of a trump is a trump. In the case of an 
ordinary first-order <p{x), the set of trumps of 4> is just the power set of the 
set of tuples satisfying (p. To see how a more complex set of trumps emerges, 
consider the following formula, which has x free: 3y/{x}.x = y. Any singleton 
set of deals is a trump, but no other set of deals is a trump. Thus we obtain that 
Vx. 3j//{x}. X = y has no trumps (unless the domain has only one element). 

Now consider adding fixpoints. In normal LFP, we form an inductive defi- 
nition via a formula (p{x,X) with a relation variable X. In Hodges’ semantics, 
the ‘relation’ variable should instead range over sets of (potential) trumps, and 
hence the fixpoint is taken over functionals p(p(A)) — >■ p(p(A)) rather than 
p(A) — >• p{A). For this, we require 

Lemma 18. The operators V, A, Vx. , 3x/W. are monotone in the lattice of 
trump sets. 

Thus given a n-ary ‘relation’ variable X, and a formula <p{x,X) with n free 
variables, we have in the usual way an operator on p(p(A"')), and we can form 
the fixpoints yX.cp and vX.ep. Note, however, that this is not the form of a 
general inductive definition over p(A"), since we do not have variables ranging 
directly over p(A"). 

The usual machinery of ordinal approximants applies. However, as the fix- 
points are over p(p(A)), the naive bound on the closure ordinal of a single 
fixpoint is now exponential in |A|. If A is countably infinite, this raises the pos- 
sibility of 2^“-step approximation; and high expressive power. 

Indeed, the question of the expressive power of this logic, on the structure 
of arithmetic, is most interesting. We know that ordinary induction on the inte- 
gers (i.e. LFP) is a small fragment of A^; but with IF-LFP, we are performing 
induction over the continuum, which is, unrestricted, extremely powerful: 
induction over a Hj formula gives S 2 , and then induction over A 2 gives all the 
semihyperprojective sets |B| (including, for example, the entire analytical hierar- 
chy). In our framework, it is natural to conjecture that the expressive power of 
IF-LFP is much less than this (and in fact I conjecture it is in A 2 ), but at present 
I do not have the tools to analyse the power. The reasons for the conjectured 
weakness are that the form of induction is very restricted, as noted above. 

We can, however, note the simple fact that this semantics agrees with the 
usual semantics for LFP when there is no independence: 
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Proposition 19. If an IF-LFP formula (j) contains no slashes, then its deno- 
tation is exactly the set of non-empty subsets of the ordinary LFP 

denotation and in particular, x € {x\ € 



Proof. By induction on approximants and the structure of if. 



□ 



5 Independence-Friendly Modal Mu-Calculus? 

The fixpoint extension of IF-FOL is interesting in its own right, but it is also 
a tool for understanding more sophisticated Henkin modal logics than we have 
defined so far. 

We have already used the notation (g) to describe the concurrent, independent 
combination of sequences of modalities. A natural extension is to take it as an 
operator on formulae instead, so one can write, for example, ([a] (Pi A {(b) * 
A(c)*))) ® ([a](P 2 A (— )*))Q, with the intended interpretation that the first 
component satisfies the first factor (with Pi probably, but not necessarily, being 
a local proposition as in P!)> making its existential choices independently; the 
second satisfies the second; and in the process, the two components synchronize 
on the a; and when they rendezvous at *, the system satisfies Q. 

The simplest way to define such operators formally is to use a game seman- 
tics, in the style of Hintikka. Precisely, take the syntax of modal logic, in positive 
form, and add: an n-ary (for each n) operator ® (“parallel composition”), an 
atomic formula * (“end of parallel”), and a binary operator . (roughly, “sequen- 
tial composition” ) . In our usual framework, only one level of 0 nesting is allowed, 
and 0 and * may only occur on the left side of a “sequential composition” . 

Given a system (say 2-component, for simplicity) in our usual framework, a 
formula defines a game thus: the normal modalities are played as usual. At a 
formula {(fi ® 4 > 2 )-'>p, the game splits into two concurrent parts: every modality 
move in one half must match a modality move in the other half, with the global 
system advancing as dictated by the synchronization algebra, but the choices 
in one half are independent of those in the other. When play reaches * in both 
halves, play continues at ip; if play stops because an atomic formula (other than 
*) is reached in either component, Eloise wins if the formula is locally satisfied 
(in both halves, in the event that both halves reach an internal atomic formula). 

This game semantics, although not unnatural, is quite complex. It is an 
exercise in applying H3| to see that: 

Remark 20. Given appropriate predicates on systems in our framework, the 
above logic can be given a semantics using IF-FOL, with the IF-FOL game 
semantics corresponding naturally to the above modal game semantics. 

The issue of fixpoints then arises. Provided that fixpoint operators are re- 
stricted to ‘system formulae’, that is, are not allowed inside O, there is no par- 
ticular problem, and we obtain a logic that can express moderately complex 
properties concerning independence and synchronization, but which is still de- 
cidable. 
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However, it is natural to ask whether formula such as *V(Pi A [— ]^)) ® 
(/xZ. *V(P 2 A [— ]2')).(a)tt make sense. They appear to make good intuitive sense, 
when one thinks of /x as just meaning ‘finite looping’, but it is not apparent how 
to give a semantics to them within IF-LFP. Furthermore, an attempt to give a 
game semantics results in games where the two agents can proceed arbitrarily 
far without ‘rendezvous’ing and acquiring knowledge of each other’s state space. 
In general, such games, in which the lack of knowledge persists indefinitely, have 
undecidable outcome problems; for example, in P|, a general game quantifier 
temporal logic is defined, which is undecidable on finite systems for that rea- 
son. Whether such formulae can be allowed with restrictions sufficient to retain 
decidability, is an issue for further investigation. 

6 Summary and Future Work 

In this paper, we have introduced the notion of ‘independence-friendly’ modal 
logic; we have laid some of the groundwork for a modal theory, and looked at the 
extension of the first-order theory by fixpoints. This opens up many avenues for 
further exploration, both in a ‘computer science’ setting and in a more ‘logical’ 
setting. For example: 

— Does full /x^L with negation have a finite model property? 

— What is the expressive power of IF-LFP on arithmetic? 

— Does /x^L have a fixpoint alternation hierarchy on finite models? If so, how 
does this connect to the complexity? 

— In this paper, we have used only a fragment of IF-FOL; in particular, we 
have not used independent disjunction (and conjunction), which is a subtle 
connective (see [El); and we have not addressed the issue of negation and 
duality. The latter question was traditionally ignored, by sticking to positive 
form; Hodges has provided an account of negation, and there is some work 
to do in applying it in our setting. 

— What is the relation between the logical independence we have been study- 
ing, and the model independence in semantic accounts of true concurrency? 
There appear to be some links between logics of causality and locality, in- 
cluding history-sensitive logics such as the hereditary history-preserving logic 
of and these should be investigated. 

— Independence-friendly logics are philosophically and mathematically inter- 
esting, but are they really useful? Putative applications such as distributed 
system design should be investigated, and it is hoped to pursue this in a 
future project. 

Finally, I should like to thank the several colleagues with whom I have dis- 
cussed the idea of ^L, in particular Perdita Stevens and Juliana Kiister Filipe. 
I also thank the referees for perceptive criticisms, which, I regret, are largely 
unanswered here; a longer version of this paper will be found via my home page 
http://www.dcs.ed.ac.uk/home/jcb/. I am supported by EPSRC Advanced 
Fellowship AF/97/0322. 
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Abstract. We propose an extension, called Cp , of the temporal logic 
LTL, which enables talking about finitely many register values: the mod- 
els are inhnite words over tuples of integers (resp. real numbers). The 
formulas of Cp are flat: on the left of an until, only atomic formulas or 
LTL formulas are allowed. We prove, in the spirit of the correspondence 
between automata and temporal logics, that the models of a Cp formula 
are recognized by a piecewise flat counter machine; for each state q, at 
most one loop of the machine on q may modify the register values. 
Emptiness of (piecewise) flat counter machines is decidable (this follows 
from a result in (2j). It follows that satisfiability and model-checking the 
negation of a formula are decidable for Cp . On the other hand, we show 
that inclusion is undecidable for such languages. This shows that validity 
and model-checking positive formulas are undecidable. 

Keywords: Counter automata, temporal logics, model-checking, verifi- 
cation, logic in computer science. 



1 Introduction 

Temporal logics play a central role in the specification and verification of reactive 
systems (see e.g. ^Hl)- Temporal logics come in two varieties: linear time and 
branching time m- We consider here the linear version PLTL. This (propo- 
sitional) temporal logic is decidable (actually PSPACE-complete ^Hl)- Model 
checking is also PSPACE-complete (linear w.r.t. the model). The set of words 
which satisfy a PLTL formula is recognized by a finite Biichi automaton, which 
shows the relatively weak expressive power of the logic; here we are interested 
in specifying and verifying infinite state systems. 

One more general (hence more realistic) class of models would be machines 
with finitely many registers (or counters) taking their values in integers or real 
numbers and a finite control, of which the simplest example is Minsky machines. 
Unfortunately, even the most simple temporal property, reachability, is undecid- 
able for 2-counters machines [HI- Several restrictions of this model have been 
studied. For instance Petri nets basically consist in removing the ability to test a 
counter for zero. Temporal properties of Petri nets have been studied in, e.g., PS|. 
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Another approach consists in adding hypotheses on the control instead of hy- 
potheses on the basic operations only. That is the approach of 0; a counter 
machine is called flat if there is at most one loop on each state. For such ma- 
chines, the binary reachability relation between two control states is expressible 
in Presburger arithmetic P|, hence decidable. Flat automata are still a significant 
subclass of counter automata since, for instance, Alur and Dill’s timed automata 
0 can be encoded in this model . 

The notion of flatness appears in several places. As we have seen, it appears 
to be a crucial hypothesis for counter machines. In 0 the authors study the set 
of reachable configurations for an automaton communicating through fifo chan- 
nels. They show how to describe such a set of configurations using a Presburger 
formula, provided that the eontrol is flat. Similarly, in the authors study au- 
tomata communicating through lossy fifo channels and introduce the so-called 
SRE which assume a flatness hypothesis on the control. This is not by chance 
that a similar hypothesis appears in several places: roughly, if only increments 
are allowed, using one loop one may compute addition and using two nested 
loops one can compute multiplication; from one loop to two nested loops we 
move from decidable to undecidable theories. 

More interestingly, flatness appears naturally in PLTL itself: following the 
automata approach, the models of a PLTL formula are recognized by a weak 
alternating automaton (see e.g. IE))- Weakness means that there is an ordering 
on the states such that any state occurring in the image of q by the transition 
function is smaller (or equal to) q. Hence “weak” is a synonym of “flat” in the 
context of alternating automata, though the Biichi automaton accepting the 
same language as a weak alternating automaton may contain several loops on 
the same state, hence is not itself flat. 

This raises the following question: assume that we design a temporal logic 
which includes as atomic formulas expressions involving finitely many counters 
and that we are able to construct for each formula f an automaton which rec- 
ognizes the models of (f>, would the automaton be flat ? If this were the case, we 
could design decision procedures for such a logic, because we do have decision 
procedures for flat automata. 

That is the purpose of the present paper: we define a flat temporal logic 
Cp whose atomic formulas include expressions such as x > y — 1 for instance 
where x, y are integer variables, “flatness” is a restriction in which only atomic 
formulas may occur on the left of an “until”. If we drop such a restriction, we 
show that we immediately cross the boarder: the logic becomes undecidable. In 
there are similar hypotheses: they design a logic in which it is possible 
to consider as a first class object the number of times a given propositional 
formula is satisfied. This logic is in general undecidable, but becomes decidable 
when on the left (resp. on the right) of an until only propositional formulas are 
allowed. Strictly speaking, the results of Pj for instance are incomparable with 
ours since neither the logic nor the models we consider are the same. (Roughly, 
they consider models which are described by a process algebra, i.e. in which there 
is no explicit counter. On the other hand, the integer variables in the logic only 
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count number of occurrences of a given event). Let us emphasize however that 
counting the number of steps which satisfy some proposition is possible in our 
logic: it suffices to add one counter and increase it each time the proposition is 
satisfied. In this respect, we get some “parametric quantitative reasoning” (d) 
for free; the number of times some transition is fired can be a free variable in 
our logic. 

We prove that recognizability by a flat automaton is equivalent to definability 
in £p . Note that this result goes both ways: unlike PLTL for which only star-free 
languages are definable, here, any flat language is definable (and conversely any 
definable language is flat). We prove that satisfiability of Cp formulas, as well as 
model-checking the negation of formulas in Cp (against a model described by a 
flat automaton) are decidable: this is a consequence of the relationship between 
flat formulas and flat automata on one hand and decidability results for flat 
automata on the other hand. 

Cp has however several weaknesses. First, it is not closed by negation. This 
cannot be avoided as we show that validity oi (j) £ Cp as well as model-checking 
(p are undecidable. Phrasing these results in term of automata, though emptiness 
is decidable for flat automata, the universality is undecidable. 

Cp does not contain LTL. However, we can design a logic £+ which embeds 
both LTL and Cp , while keeping the nice decidability properties. Now, instead 
of flat automata, each formula of Cp can be associated with a piecewise flat au- 
tomaton which accepts the models of the formula. Emptiness remains decidable 
for such automata, which implies again that satisfiability and model-checking 
the negation of a formula are decidable (this includes reachability for instance). 

We start in section |2| by definitions and examples of (flat) counter automata. 
In section^we establish (un) decidability results for flat automata. The flat logic 
Cp is introduced in section where we also prove the correspondence with flat 
automata. Then we consider in section 0 the decision problems for this logic. 
Finally, in section|^we consider the extension C^ which also embeds LTL. 

2 Flat Counter Automata 

Our constraints relate the current values (unprimed variables) and the next 
values (primed variables) of the counters, in a declarative way. 

Definition 1 (Constraint). An atomic constraint is one of the expressions: 
xffy -\- c, xffc, cffx where G {<, <} and c ^ (resp. c € Q). A constraint 
c is either the constant true, the constant false or a conjunction of atomic 
constraints. The set of constraints with free variables xi,... ,Xk,x[,... ,x'^. is 
written C{xi, . . . ,Xk). 

A constraint c in C{xi, . . . ,Xk) defines a binary relation on where 
D G {N, Z, Q, ...}: the relational symbols <,< are interpreted as the usual 
ordering, as well as constant addition, (u, v') G Rc iff the valuation in which the 
ith component of v is assigned to Xi and the ith component of v' is assigned to 
x' satisfies c. 
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Definition 2 (Counter automaton: syntax). An automaton with k counters 

A is a tuple {E, Q, qq, F, S) where Q is a finite set o/ states, E is a finite alphabet, 

qo € Q is the initial state, F Q Q is the set of final states and S Q Q x 

C(xi, . . . ,Xk) X E X Q is a transition relation. We write sometimes q q' 

A 

instead of {q, c, a, q') € 5. 

A configuration of the automaton is a pair {q, v) with q G Q and u G 
(resp. V G Q^J. The automaton may move from a configuration {q,v) to a con- 
figuration (q',v') iff there is a transition {q,(j),a,q') G 5 such that v,v' |= fi: 
the free variables x\, . . . ,Xk are interpreted by v\, .. . ,Vk and the free variables 
x'l,... are interpreted by ,u(.. We write (q,v) (q',v') when the 

automaton A may move from a configuration (q,v) to a configuration (q',v') 
while reading a. a may be dropped if it is not relevant. 



Definition 3 (Counter automaton: semantics). Let w be finite (resp. infi- 
nite) word of length w G {E x N^)* (resp. w G {E x A run of A on 

w is a finite (resp. infinite) word p G Q* of length |w| (resp. p G Q‘^ ) such that 

p(l) = qo and, for every I < i < |w|-l (resp. i > 1), {p{i),Vi) — {p{i+l),Vi+i) 

A 

ifw{i) = {ai,Vi). 

A run p is successful if its last letter belongs to F (resp. if it contains infinitely 
many elements of F). A word w is accepted by A if there is a successful run of 
A on w. 

We write L{A) the set of finite words accepted by A and L,,,{A) the language 
of infinite words accepted by A. 



Example 1. On figure Q we have depicted a controller for a pay phone. There 
are two counters: x is the number of quarters which have been inserted and 
y measures the total communication time. We use the classical abbreviations: 

a; + + stands for x' = x-\-l and x stands for x' = a; — 1. Also, by convention, 

when x' (resp. y') is not present in a transition, the constraint x' = x (resp. 
y' = y) is assumed. 

Such an automaton is expected to interact with its environment; messages 
are followed either by a question mark, when they are received by the controller, 
or by an exclamation mark, when they are sent by the controller. These aspects 
are however irrelevant here. 

The initial state (which is also the only final state) is qi. A possible sequence 
of consecutive moves of the automaton is: 







lift? 

quarter? 




quarter? 



quarter? 




dial? 

> 

connected? 
> 




Note that, by choice of the final state, it is not possible to insert quarters forever. 
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Definition 4. A counter automaton over a single letter alphabet (\S\ = 1) is flat 
if there is an ordering on the states such that there is a possible move from some 
(q,v) to some {q' ,v') only if q > q' . Moreover, there is at most one transition 
from a state to itself. 



quarter?, a: + + quarter?, x + + 




y' <x,y + + 



y<x 

signal? 

y + + 



Fig. 1. A pay phone 



Example 2. Consider the pay phone of flgurenin which we forget the messages. 
The resulting automaton is not flat as there are several loops on a single state 
(e.g. q 2 ). It is however possible to replace each loop on a single state with a 
single transition, without changing the reachability relation. For instance the 
iteration of a loop labeled with cc + + can be replaced with a single transition 
x' > X. Then the one step loops on q2,q3,q4 and qe can be replaced with single 
transitions and the automaton becomes flat. 

Also, if we remove the transition between qg and q±, the automaton becomes 
flat. 



3 (Un)decidability Results for Flat Counter Automata 

We first recall here the decision results which can be derived from [Sj. Then we 
prove new undecidability results. 

Theorem 1 ([9j). Given two states qi ,q 2 of a fiat counter automaton A, there 
is an effectively computable formula of Presburger arithmetic (Ijqi.qz ^') 'with 
2k + 1 free variables such that {qi,v) (q 2 ,'>j) iffv,m,v' |= (I)qi,q 2 - 
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Corollary 1 (|10|I. The emptiness of L{A) (resp. Li^(A)) is decidable for flat 
automata A. 

Decidability of the emptiness of L{A) follows directly from theorem ^ it suffices 
to decide 3m. qo qj for every final state g/. Concerning Li^{A), we need 

to decide the infinite iterability of a loop, which is also a consequence of the 
particular expression of the reachability relation, with some additional work 

El- 

Proposition 1. The class of languages recognized by flat counter automata is 
effectively closed by union and intersection (both in the finite and in the infinite 
words cases). 

Proof sketch: The closure by union is straightforward. The closure by intersec- 
tion is a consequence of the closure of C{xi, ... ,Xk) by conjunction. □ 

Unfortunately the class of languages recognized by flat automata is not closed 
under complement. Actually, we are going to show that the question of whether 
a flat automaton accepts all words in (N^)* is undecidable, which gives the non- 
closure results thanks to corollary E 

First, consider the set CAi of counter automata over a one letter alphabet 
such that there is exactly one transition starting from a final state, which is 
labeled with true. The reachability of a final state in a Minsky machine reduces 
to the emptiness of the language recognized by such a counter automaton. Hence 
we have the undecidability result: 

Lemma 1. The emptiness problem for L{A) (resp. Li^(A)) is undecidable for 
AgCAi. 

We may further restrict the class of counter machines, encoding the states 
into a counter. Let CA 2 be the class of automata in CA\ which only contain two 
states qi,q 2 , such that q 2 is final and there is no transition from 52 to q\. (See 
figure 13) 




If A is an automaton with fc -|- 1 counters and x is one particular counter then 
the projection ■Kx{L{A)) (resp. tTx{L^{A))) is the subset of (N^)* (resp. (fV'')“) 
of words in L{A) in which the x component has been erased. 
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Lemma 2. For every automaton A G CAi with k counters Xi, . . . ,Xk, there 
is an automaton A' € CA 2 with k + 1 counters c,Xi, ... ,Xk such that L{A) = 
tTc{L{A')) and there is a flat automaton A" such that L{A”) = (N^)* — L{A') 
(resp. L^A") = - L^A')) 

Proof sketch: First add a counter c which records the state number; without 
loss of generality, we may assume that numbering the states is such that Q = 
{qi, . . . , Qn} and Qf — {?/, . . . , Qn} (be. states whose number is larger than / 
are final). The automaton A! contains two states: Q and Qf. A transition from 
state i to state j with a constraint (f becomes, when i is not final (for instance), 
a constraint cj>Ac=iAc' = j from the initial state to itself, or to the final state 
if qj G Qf. 

Let 4>i, . . . ,(j)n be the constraints of the transitions on the initial state and 
ifi, . . . , 'i/'m be the constraints of the transitions from the initial to the final state 
in A' . Note that, by construction, for every i, ipi\= c' > f. 

Let V . . . V be a disjunction of constraints which is logically equivalent 
to 

n m 

-((V<^^)v(VV'0) 

i=l i=l 

Such a disjunction of constraints always exist since the negation of an atomic 
constraint can always be written as a disjunction of atomic constraints. 

Our fiat automaton is built as depicted on figure 0 A word which is not 



c < / true 




Fig. 3. The flat automaton in the proof of lemma El 



accepted either never reaches a final state, i.e. c remains strictly smaller than 
/, or else it is not compatible with the transition relation at some point, before 
reaching a final state. □ 

Lemma 13 is a little bit confusing; one may get the impression that the com- 
plement of any counter language (over a one letter alphabet) is a recognized by 
a fiat automaton. This is not true, however; the projection plays an important 
role here. On the other hand, we know that the complement of a fiat automaton, 
cannot be always recognized by a fiat automaton: universality would then be 
decidable, hence the emptiness for any counter automaton. 

From the two previous lemmas we can derive the following: 

Theorem 2. The universality is undecidable for flat automata (both in the case 
of finite and in the case of infinite words). 



Flatness Is Not a Weakness 



269 



4 The Flat Counter Logic Cp 

We introduce first a logic with counters CLTL, which, unfortunately, is too 
expressive. However, the notion of flat automaton which we introduced in the 
last section can be easily characterized at the logical level using a restriction of 
CLTL, which is similar to the so-called “flat fragment” in m for instance. 



4.1 A Logic with Counters 

Basically, we consider a temporal logic whose modalities are the same as in 
PLTL. The only difference is that, instead of propositional atomic formulas, we 
allow arbitrary constraints in C{xi , . . . , Xk)- 

More precisely, given a natural number k and a finite set of propositional 
variables V, CLTL is the smallest set of formulas such that P belongs to CLTL 
for every P € V, C{xi , . . . , Xk) is included in CLTL and if (pi and (p 2 are formulas 
of CLTL, then </>i A V are formulas of CLTL. 

We may also use the classical derived operators □ (“henceforth”) and <C> 
( “eventually” ) . 

Temporal formulas are interpreted over computations which are now infinite 
words in 2^ x Given an infinite path tt € (2^ x N^)“, we write 7r(«) for the 
fth letter of tt and we let tt be the infinite word in (2^ x x defined by: 

(7r(i) = (a, v) and 7r(i -|- 1) = (&, w)) implies Tt{i) = (a, v, w) 

This little technicality is necessary because the constraints may express relations 
between two successive values of the counters and not only constraints on a given 
value of the counters. 

Now, a path tt satisfies <j) tt \= p and: 

— n,i \= true and false 

— TT, i 1= P where P G V if and only if 7r(i) = (a, v) and P G a 

— n,i\= (p{xi , . . . , Xfc, x'l , . . . , x'fP) where </> G C(xi , . . . , Xk) iff ^(i) = (a, v, w) 
and v,w \= (p (with the usual definition of satisfaction in Presburger arith- 
metic) . 

— n,i \= X(/) iff 5^, f -I- 1 \= p, 

— n,i \= pi A p 2 n,i \= pi and n,i \= p 2 , ... 

— n,i \= pi Up 2 iS there is an index j > i such that n,j ^ p 2 and for all 
k G [i,j[, 7T,k\= pi. 



Example 3. CLTL allows to express properties such as: “a; is never greater than 
100” or “each time x is larger than 100, an alarm is raised” or “ultimately, the 
register x remains stable” : 

□ (a: < 100), 0 ( 3 ; < 100) V (a: < 100 U alarm > 1) (}U{x' = x) 

Unfortunately, CLTL is too expressive: 
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Theorem 3. Satisfiability is undecidable for CLTL. Model checking (of a flat 
automaton) is also undecidable in this logic. 

Proof sketch: We reduce the halting problem of a counter machine. Roughly, we 
use an auxiliary variable c ranging over the states of the machine and encode 
the computations of the machine by the formula: 



/ 






\ 




/\{a — <]i ^ \J X ) A C — Qj]) 


U 


\J c = qf 


V 


* G 

qi —r qj 




qj^F \ ^ 



□ 



4.2 The Flat Fragment of the Logic 

Cp is defined by a syntactic restriction of the formulas, which, roughly, restricts 
the left members of “until” to be conjunctions of atomic formulas, thus prevent- 
ing the construction of theorem El For simplicity, we assume here that V — 
propositional variables will be re-introduced in section El and, anyway, they can 
be encoded by integer variables. 

Definition 5. An elementary formula is a Boolean combination of constraints 
in C{xi, . . . ,Xfc). 

The set Cp of flat formulas, is the smallest subset of CLTL such that: 

— elementary formulas are flat 

— if 4>i, (f >2 are flat, then A 4>2,4'i'd 4>2, X(/)i are flat. 

— if (pi is a constraint in C{xi , . . . , Xff) and cp 2 is flat, then (pi Up 2 is flat 

— if p is a constraint in C{xi, . . . ,Xk), then ~<(true U~<p) (i.e. Up) is flat 

The last condition is ad-hoc: it corresponds to the encoding of final states, 
as we will see. 

Let us emphasize that Cp is not closed by negation. This is unavoidable as 
we will see in the next section. On the other hand, we could add the weak until, 
as both Up and plAp are in Cp when p is a, constraint. 

Example f. The formulas given in example El are all flat. 

One of the main interest of Cp is the correspondence with flat automata: 

Theorem 4. For every formula p of Cp , there is a flat automaton which accepts 
the models of p. 

Conversely, for every flat automaton A, there is a formula p of Cp whose 
models are the words accepted by A. 
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Proof sketch: From logic to automata we use the closure properties of flat au- 
tomata by union and intersection (theorem ^ and the standard constructions 
for U, X and □. For instance consider (p Uip. By hypothesis, 4> belongs to 
C{x \, ... ,Xk)- We construct the automaton for (plAif by adding in front of the 
automaton for ip a state on which there is a loop guarded by (p 

From the automata to the logic, we proceed by induction on the ordering 
on states. From minimal states q there is at most one departing transition, say 
labeled with cp, and whose target is q itself. Then, if q is final, the corresponding 
formula will be U(p (false otherwise). For the induction step, if qi,. ■ ■ ,qn are 
the successors of q and p is the constraint of the loop on q, we get roughly the 
formula pU{{pi A V ...((()„ A Xpq^)). □ 



5 Satisfiability and Model-Checking in Cp 

Thanks to theorem 0] we can decide satisfiability and model checking of the 
negation of a formula of Cp : 

Theorem 5. Given a formula p G Cp and a flat automaton A, the following 
questions are decidable: 

— Is p satisfiable ? 

— Does A satisfy ->p ? (In other words, is there a word accepted by A which is 
a model of p ?) 

Proof. Thanks to theorem 0 for every formula p G Cp , there is an automaton 
A^ which accepts the models of p. Then satisfiability reduces to the emptiness 
of L{A(if) and A\= ^p reduces to L{A) fl L{A,j,) = 0. Now, thanks to theorems 
nandd both questions are decidable. □ 



Example 5. Negation of formulas in Cp include for instance reachability formu- 
las Ipq (adding here a new counter whose value is 0, except when reaching q) or 
safety formulas n~<p where ^ is a constraint. Actually, considering the formulas 
in example the negations of the first two formulas also belong to Cp because 
the negation of constraints s >t are atomic constraints and the negation oi cUc' 
is in Cp when c, d are both of the form s > t. Only the negation of ■O’Da;' = x 
is not a Cp formula. 

It is also possible to reduce in polynomial time Presburger arithmetic sat- 
isfiability to Cp satisfiability, hence, in principle, Cp is at least as hard as 
Presburger arithmetic (between 2-DEXPTIME and 3-DEXPTIME). 

Now, deciding A\= piov p G Cp is equivalent to the decision of inclusion of 
flat automata, which is undecidable: 

Theorem 6. The validity problem and the model checking on a flat automaton 
are undecidable for a formula p G Cp . 

Sketch of the proof: This follows from theorems El and □ □ 
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6 C^\ A Decidable Extension of and LTL 

p t' 

The logic Cp is not fully satisfactory in many respects. In particular, the re- 
strictions on the left member of an U disallow arbitrary LTL formulas. On the 
other hand, theorem 0 shows that we cannot simply drop the restriction. At 
least, we have to consider positive Boolean combinations of PLTL formulas and 
Cp formulas. We can still go a little further, as we will see. 

Informally, Cp extends Cp by allowing any conjunction of a PLTL formula 
and a constraint where only constraints were allowed. 

Definition 6 (Syntax of C^). We assume given a finite set of propositional 
variables V and a positive integer k. 

Given a constraint (f, PLTL^ is the smallest set of temporal formulas con- 
taining 4> A Pi A ... A Pn /\ ~'Qi A ... A -'Qm for every propositional variables 
P\, . . . , Pn, Qi, . . ■ , Qm ond which is closed by A, V, U, X, □. A basic formula is 
a formula if S PLTL^ for some (f S C{xi, . . . ,Xk). 

Cp is the smallest set of formulas such that: 

— every basic formula is in £+, 

— if 4>i, <p 2 ore in Cp , then (fi A (p 2 , <Pi V 4>2, X(/>i are in C^ 

— if (fi is a basic formula and (f 2 G Cp , then (fiU(p 2 G Cp 

— if 4>i is a basic formula, then U<fi G £+ . 

Note that, in PLTL, negation can be pushed to the propositional variables 
level if we include □ in the syntax. That is why PLTL formulas are basic formulas 
in the above definition: it is sufficient to choose (f = true. Constraints are also 
basic formulas, hence Cp is an extension of both Cp and PLTL. 

On the other hand Cp is a fragment of the logic CLTL which was defined in 
section l4. 1 1 from which we borrow the the semantics. 

Example 6. We may record the elapsed time in a LTL formula using an auxilliary 
counter; for instance: 

a; = 0 A {{p A {x' = X 1)) U{Q A x' = X -\- \)) U{R\J X > a) 

is an Cp formula, x recording the elapsed time. We could consider e.g. a second 
phase in R in which the time spent for each action is larger (or smaller), or even 
record something different, as, e.g., distance or available resources... However, it 
is not allowed to replace one of the two occurrences of x -I- 1 with x -I- 2: on the 
left of an until the constraint has to be the same everywhere. 

Here, we have to extend the notion of a flat automaton, corresponding to the 
extension of the syntax of formulas. 

Definition 7. A piecewise flat automaton is a counter automaton on an alpha- 
bet S = 2^ such that there is a partition Qi l±l . . . l±l Qm of the set of states Q 
and an ordering on {Qi, . . . ,Qn} such that: 

— for every i, there is a constraint G C(xi, . . . ,Xk) 
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— for every transition q q' of the automaton, if q G Q and q' G Q' , then 

Q>Q' 

— for every transition q — ^ q' such that q,q' G Qi, there is a conjunction ip 
of proprositional variables and negations of propositional variables such that 
c= (pi Alp 

Example 7. Consider the pay phone example of figure E With each event, we 
associate a propositional variable. Then the behavior between two lift events (i.e. 
a “session”) is described by a piecewise flat automaton. Actually, more complex 
actions could be described within the same class of models, for instance using 
more coins types, calling services... 

Proposition 2. The class of languages accepted by piecewise flat automata is 
closed under union and intersection. 

Sketch of the proof: It is almost the same as the closure of flat languages. We 
use the closure of C{xi, ... ,x„) by conjunction and, for intersection, a product 
construction which is similar to the Biichi automata intersection construction. 
□ 



Theorem 7. The models of an £+ formula are recognized by a piecewise flat 
automaton. 

Sketch of the proof: As before, we proceed by induction on the formula. Thanks 
to proposition El we only have to show the construction for X and U. The 
construction for U is actually complicated. An example is depicted on figure El 
Let be the automaton accepting the models of (pi, Q\ its set of states, and 
be the automaton accepting the models of (p2 and Q2 its set of states. 




Fig. 4. The piecewise flat automaton for (pi U(p2 
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The idea is the following: while we do not reach a point where 02 is satisfied, 
at each move, the automaton launches a copy of on the rest of the word. 
This is shown on an example on figure 21 Hence the set states of the automaton 
A(f,^ u<j >2 is the union of {S' C 2*3i , | go G S} and x Q 2 , if go is the initial state 
of . 

The initial state of Acj,^ u<p 2 is the singleton {go}, the final states are the 
pairs (S, g) where S C and q £ respectively the final states of A^^ and 
Arj)^. Transitions are computed as follows: a state S C is considered as the 
conjunction for all states in S; if S, S' C go £ S', / is a mapping from S to S', 
then there is a transition from S to S' which is labeled <^qj{q) where Cqj(^q) is 

q&S 

the constraint of one of the transitions from g to /(g) in This corresponds 
to the case where we did not hit yet a position at which 02 is satisfied. We may 
also move from a state S to a state (S', g') if g' £ Q 2 and S' C Q, under the same 
conditions as above, except that we do not require go £ S' and move instead 
from the initial state of A<p 2 to g' (see figure EJ: this corresponds to the guess 
that we are going to satisfy 02 at the current position. Finally, we also have 
transitions from (S, g) to (S',g') which corresponds basically to the intersection 
of copies of A^^ and one copy of A,f,^ . 

The construction would be similar if we defined an alternating version of the 
automata and then transform it into a non-deterministic one: the exponential 
blow-up is unavoidable for the states of the formula 0i . 

One important remark is that we still get a piecewise flat automaton here, 
which would not be the case if we allowed arbitrary formulas on the left of 
an until. Indeed, the powerset construction for introduces transitions which 
are labeled with arbitrary conjunctions of constraints occurring in 0i. It remains 
piecewise flat only because all these constraints are identical. □. 

Theorem 8. Emptiness is decidable for piecewise flat automata. 

Sketch of the proof: We only have to check the reachability for the projection 
automaton, where we forget the letters of E. Then all states in the same Qi 
collapse into a single state and we are back to corollary E □ 



Theorem 9. Satisfiability and model checking of ->0 on A are decidable for 
0 £ Cp an A a piecewise flat automaton. 

Sketch of the proof: This follows from theorems 0 and 0 and proposition 0 □ 

Finally, let us remark that we can also consider the conjunction of Cp for- 
mulas with arbitrary constraints in the additive theory of our domain D (N, Z, 
Q+, K+). It is not difficult to see directly how satisfiability and model-checking 
can be decided, but there is one elegant way to do it: 

Proposition 3. For every formula (f in Presburger arithmetic, whose free vari- 
ables are xi, . . . , Xk, there is a flat automaton A,j, with k-\-m counters such that, 
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if E is the set of last letters of finite words aecepted by A,p, then 
{v e N'=,t; \=(l)} = {vG € N^,{v,w) G E} 

Then we can build a piecewise flat counter automaton which accepts the 
models of both the £+ formula and the first-order constraint . 

In other words, the proposition says that we can encode Presburger arith- 
metic in Cp , which shows that we can perform some general parametric quanti- 
tative reasoning. 

7 Conclusion 

The symbolic representation of states played a crucial role in increasing the 
efficiency of model-checkers |Hj. It is even more crucial for infinite states systems. 
We believe that eonstraints, i.e. logical formulas interpreted in a given domain, 
are an adequate symbolic representation in this case. The main advantage w.r.t. 
other representations is its declarativeness and the easy combination with logical 
formalisms. 

In this paper, we provided with an example of application: we can design a 
temporal logic which combines the representation of infinite sets of configura- 
tions using constraints and the usual temporal properties. We have also shown 
a device (automaton) accepting the set of models, hence allowing to decide e.g. 
the satisfiability. 

This generalizes the results on LTL satisfiability and model-checking: it is 
now possible to consider counters in a restricted way. Unlike in the previous 
works, we put the restrictions on the control of the automaton (flatness), which 
has a logical counterpart. 

There is still one important weakness of our results: we do not know anything 
about their possible usefulness in practice. In principle, the complexity of the 
algorithms are prohibitive. However, the main source of complexity is the number 
of counters, which can be low (2 or 3) in many examples. 

As we noticed at the end of the previous section, it is possible to express some 
parametric quantitative properties, as defined in n using additional counters 
and the logic £+. For instance, (f can be translated using an additional 

counter y into: y = Q /\ {{4> A y' = y + 1) U{y < x A fj)). We want to investigate 
this application: which fragments of the PLTL logic of 0 are (easily) expressible 
in Cp ? For these fragments, we can check quantitative properties not only on 
finite automata, but also on piecewise flat automata with counters. 

Another possible further investigation would be to consider the branching 
time temporal logic instead of PLTL. 
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Abstract. Entailment relations, originated from Scott, have been used 
for describing mathematical concepts constructively and for representing 
categories of domains. This paper gives an analysis of the freely gener- 
ated frames from entailment relations. This way, we obtain completeness 
results under the unifying principle of the spatiality of coherence logic. In 
particular, the domain of disjunctive states, derived from the hyperreso- 
lution rule as used in disjunctive logic programs, can be seen as the frame 
freely generated from the opposite of a sequent structure. At the cate- 
gorical level, we present equivalences among the categories of sequent 
structures, distributive lattices, and spectral locales using appropriate 
morphisms. 



Introduction 

Entailment relations were introduced by Scott as an abstract description of 
Gentzen’s sequent calculus Ill,’)llbll7l . It can be seen as a generalisation of the 
earlier consequence calculus of Hertz 0 to a multi- conclusion consequence re- 
lation. The notion of consequence relation, with only one conclusion, has been 
analysed by Tarski m- This consequence calculus has been used by Scott in or- 
der to give a concrete representation of domains, as in information systems HS|. 
It is thus natural to wonder if the more general notion of entailment relation, 
with multiple conclusions, can be used to represent larger categories of domains, 
such as those related to non-determinism. This is indeed the case, and it has 
been developed in and |S|, in an independent way from Scott’s work on 

entailment relations (in iza. a set together with an entailment relation is called 
a sequent structure). Another related reference, also independent from Scott’s 
work, is Pj. 

In this paper we analyse various completeness theorems for sequent structures 
by embedding them into frames. A goal of this study is to provide a unified 
way to present completeness results in logic, such as those for resolution and 
hyperresolution . 

* Corresponding author. 
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A number of recent developments serve as the motivation for the current 
paper. In m, it is shown that entailment relations are naturally connected to 
several mathematical structures. They can be used to give elegant constructive 
version of some basic mathematical concepts (and theorems), such as continuous 
linear forms, space of valuations, etc. One key point here is that it is often 
possible to get direct explicit descriptions of entailment relations generated by 
some rules, avoiding syntactical induction and case analysis on derivations. 

In order to understand appropriate domains for the semantics of disjunc- 
tive logic programs, m introduces clausal logic based on the so-called hyper- 
resolution rule m Completeness of hyperresolution provides the basis for this 
domain-theoretic semantics: it establishes the equivalence of the model-theoretic 
semantics and the proof-theoretic semantics. Here, a set of clauses closed under 
hyperresolution is called a disjunctive state; the collection of disjunctive states 
under inclusion forms a complete lattice, which, in the case of information sys- 
tems, is isomorphic to the Smyth powerdomain 

A natural question is whether the cpo of disjunctive states can be seen as 
a universal construction for sequent structures. Related to this question is the 
canonical embedding of a sequent structure into a frame. For this purpose we 
use Johnstone’s coverage method [Jj to study frames generated from a sequent 
structure as well as from its opposite. Interestingly, the frame generated from 
the opposite is precisely the complete lattice of disjunctive states. Moreover, in 
each case the universal map gives a way to capture a point of the frame as an 
ideal element of the underlying sequent structure. 

The completeness theorem of coherent logic states that any coherent (or 
spectral) frame is spatial |2| . It ensures that enough models exist to uniquely de- 
termine the partial order, where models correspond to completely prime filters. 
This means that when sequent structures are embedded into spectral frames, 
we have enough models to uniquely determine the entailment relation, and thus 
obtain certain completeness result “for free”, such as the completeness of hyper- 
resolution. In return, existing results IT!1^ related to hyperresolution suggest 
several explicit constructions for the sequent-structure-generated frames: a se- 
mantical one, a proof-theoretic one, and a third one based on the notion of 
“choice inference”. 

A couple of results in this paper may be seen as “folklore” ; their roots may be 
traced back eventually to Stone’s representation theorem m- We feel however 
that our contribution lies in tying in the more discrete notion of sequent struc- 
tures with the more complete notion of locales through the so-called coverage 
relation [Zj in a concrete logical setting. This allows the importation of existing 
results in locales to sequent structures, shedding new light on the topic. It is, 
for instance, quite interesting that the hyperresolution rule appears naturally in 
solving the problem of embedding an entailment relation in a frame, and it may 
not be obvious a priori that the disjunctive states form a frame. We hope that 
this paper is a first step in exploring completeness of various logical systems by 
means of canonical embedding to locales. 
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1 Coverage and Spatiality of Spectral Frames 

A frame is a poset with finite meets and arbitrary joins which satisfies the infinite 
distributive law 

xa\Jy = \J{xAy\y€Y}. 

For frames F and G, a frame morphism is a function f : F ^ G that preserves 
finite meet and arbitrary joins. Frames are also called locales. 

Johnstone ([Zj, page 57) provides a way to construct a frame from a meet- 
semi-lattice based on the notion of coverage relation. 

Definition 1. Let (S, A, <) be a meet-semi-lattice. A coverage on S is a relation 
2^ X S satisfying 

1. ifY>~a then for any y € Y , y < a. 

2. ifY>-a then for any b < a, {yAb\yGY})^b. 

A >--ideal determined by coverage is a subset I of S which is 

1. lower-closed: a€lSzb<a^bGl, 

2. covered: U )^a&t/C/=^oG/. 

A meet-semi-lattice S equipped with a coverage relation is called a site. A 
frame H with i : S ^ F[ is said to be generated from a site (S', ;^) if 

— i preserves finite meets, 

— i transforms covers to joins: Y >- a ^ i{a) = \J i{Y), and 

— F[,i is universal, i.e., the following diagram commutes: 




Remark. For here and for the rest of the paper, all maps are assumed to preserve 
the respective structures they are acting on. This remark will be implicitly in 
force for all commutative diagrams and will not be repeated. We also remark in 
general that such a universal property guarantees that the generated structures 
are always unique up to isomorphism. 

Here is Johnstone’s basic result for the coverage relation. 

Theorem 1 (Coverage Theorem [ 7 ], page 58). The collection of -ideals 
under inclusion is the frame generated from a site (S, ;^). 

Recall that a frame can be seen as a “point-free” description of the open 
sets of a topological space. In this view, points are not basic, but are defined as 
collection of opens: a point of a frame is a completely prime filter, i.e. a filter a 
such that ii\J X G a then there exists x G X such that x G a. If H is generated 
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from (S, ;^) then a point is determined by its restriction to S, which is a filter a 
of S such that a G a k Y >- a => {3b G Y) b G a. A frame H is called spatial 
(or has enough points) if for any a,b G H, a < b iff Va, a G a implies b G a, 
where a ranges over points of H. Intuitively, if we regard a, b as sets of points, 
then a < b exactly when a Q b. 

There is a standard way to generate a frame from a distributive lattice D. 
One defines the coverage by letting [/ )^ a if and only if C/ C and there exists 
a finite subset X of U such that a = VX. By distributivity, this is a coverage 
relation. A > — ideal is then exactly an ideal of D: a downward-closed subset of 
D closed under finite joins. The generated frame is precisely the so-called ideal 
completion of D, which is written as ldl(Z?). 

We say that a frame (locale) is coherent or spectral if it is isomorphic to the 
ideal completion of a distributive lattic^. The following fact will be used in the 
rest of the paper. 

Theorem 2 (Page 65, |Z]). Spectral frames are spatial. 

2 Sequent Structures, Distributive Lattices, and Frames 

We are interested in the question of frames generated by sequent structures. 
There are two ways to construct the frame generated by a sequent structure. The 
first construction, discussed in this section, is an implicit one built in two steps: 
obtaining the generated distributive lattice |2| first, and then taking its ideal 
completion as mentioned above. The second, explicit construction, is obtained 
by defining an appropriate coverage relation, which will be discussed in SectionEI 
Let’s recall the notion of entailment relation introduced by Scott in HB|. 

Definition 2. An entailment relation (or a sequent structure) is a set A with a 
binary relation h between finite subsets Fin(A) of A such that 



(I) 


aha 




(W) 


SAX 


XGY ACT 




SGT 


(C) 


X GY, 


a a,XGY 




XGY 



We use the notations X,Y, . . . for finite subsets of A, and X, Y for X UY 
while A, a for A U {a}. 

Several properties of entailment relations are self-evident. First, entailment 
relations are completely symmetric: (A,h) is an entailment relation iff (A, H) 
is. Second, entailment relations are closed under arbitrary intersections. Third, 
since the largest relation on Fin(A) is an entailment relation, given a family 



^ The term coherent is used in such a way in U|. But it is used with another meaning 
in domain theory or even in 0. The term spectral, used because such frames are 
exactly the ones that are spectrum of a commutative ring, is less ambiguous. 
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of pairs of finite subsets of A, the entailment relation generated by 
the rules h Yi can be seen to be the intersection of all entailment relations on 
A satisfying Xi\^Yi for all i € I. (Of course one can close Yi)i^j up by (I), 
(W), and (C) directly.) Last, information systems m can be seen as a special 
kind of entailment relation generated by rules of the form Xi \- Yi with Yi being 
either a singleton or empty (intuitionistically they are more complex, however) . 

Distributive lattices freely generated from sequent structures make it possible 
to use lattice-theoretic constructions in sequent structures. The concept of freely 
generated lattices is introduced in 

Definition 3. For a distributive lattice D and a sequent structure {A, h), a map 
i : A ^ D is said to preserve h if X Y implies Ai{X) < \/i{Y). We say that 
the distributive lattice L(A) is generated by (^, b) if there is a -preserving map 
i : A ^ L(A) which is universal among all such maps: 



Theorem 3 (Cederquist and Coquand |H]). Any entailment relation (A, h) 
generates a distributive lattice (L(A),<) with a map i : A^ L(A) such that 



for all finite subsets X,Y of A, where i{X) is the image of X under i. 

We can study the similar topic of interpreting a sequent structure in a frame. 

Definition 4. Let H be a frame. An interpretation of a sequent structure (^, b) 
in H is a map m : A ^ H such that for every finite X, Y , 



A frame frm{A) is generated by (bl, b) if there is a universal interpretation 
Too : A — >■ Frm(T).- 




L(bl) 



X b r Aii(X) < Vi{Y) 



X\-Y ^ Am{X) < Vm(y). 



A 



m 



H 




Frm{A) 



Given a sequent structure (A, b), one can first generate the distributive lattice 
L(bl) using TheoremEland then obtain the generated frame Frm(bl) := ldl(L(A)) 
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by ideal completion (see the ending part of SectionCJ. Combining the two steps, 
we get the following commutative diagram: 




This is exactly a proof of the following result: 

Theorem 4. Every sequent structure (^, b) generates a frame ldl(L(yl)) with 
interpretation tuq = idl o T 

One can prove additionally that the map mg has the property that for any 
finite X,Y, X \- Y if and only if Amo{X) < VmofY). By TheoremOlit is enough 
to show that if idl(rt) < idl(ri) in ldl(L(A)) then u < v in L(A), where idl(M) 
stands for the principal ideal generated by m G L(A). But this follows from the 
special construction of ldl(L(A)) as the ideal completion of L(A). 

3 Ideal Elements, Prime and Completely Prime Filters 

What makes the results given in the previous section useful is that we have a 
canonical correspondence between ideal elements of the sequent structure, prime 
filters of the distributive lattice, and completely prime filters of the generated 
frame. We establish the correspondence in this section. 

We must first recall what is an ideal element. Ideal elements have been used 
for representing domains. Given a sequent structure, the set of all of its ideal 
elements forms a dcpo under inclusion. One can obtain different categories of 
domains by considering different (sub)classes of sequent structures 

Definition 5. A subset x ^ A is called an ideal element with respect to a sequent 
structure A= ( A, h) if it is closed under entailment ( where C®'' stands for “finite 
subset of”): 

{X X k, X \- Y) ^ X AY inhabited. 

The set of all ideal elements of A is denoted as |,A|. 

A co-element of a sequent structure (A, h) is an ideal element of (A,H). By 
logical transposition, one easily checks classically that y is a co-element of (A, h) 
iff y is the complement of an ideal element x of (A, h); but our definition of 
co-element is formulated in a purely positive way. 

As noted earlier, for any sequent structure (A,h), (|A|,C) is a dcpo (not 
necessarily with bottom). 
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Let (A, L) be a sequent structure and A L(^), A Frm(^) be the 
universal maps for the generated distributive lattice L(A) and generated frame 
Frm(A), respectively. For x C A, define Ix C L(A) as 

4 := {u e L(A) I {3X Cx) A i{X) < u} 

and define 4 C Frm(A) in exactly the same way: 

Jx := {u S Frm(A) | (3X C x) A m{X) < u}. 

We have the following result, which shows that ideal elements, prime filters, 
and completely prime filters uniquely determine each other under their respective 
universal maps. A direct proof of the second item is given later in Proposition Q 

Theorem 5. Let (A, h) be a sequent strueture. 

1. If I is a prime filter of L(A) then the restriction of I to A, that is the set 
i~^{I), is an ideal element. Conversely if x is an ideal element o/(A, h) then 
4 C L(A) is a prime filter such that x = i“^(4)- 

2. If J is a completely prime filter o/Frm(A) then the restriction of J to A, that 

is the set is an ideal element. Conversely if x is an ideal element of 

(A, h) then 4 Q Frm(A) is a completely prime filter such that x = m~^(Jx). 

Proof. The first item is stated in |3| and the second item follows from item 1, 
TheoremEl and an exercise in ([Zj, page 66) which states that there is a bijection 
between prime filters of L(A) and completely prime filters of Frm(A). Kl 

Note that ideal elements need not exist for an arbitrary sequent structure. 
In particular, if we allow 0 h 0, then there is no way to obtain an ideal element. 
However, we have this basic result: 

Theorem 6 (Completeness). Every sequent structure (A, h) has enough ideal 
elements: A h T iff for all ideal elements x, the set xC\Y is inhabited whenever 
XQx. 

This theorem is an immediate consequence of Theorem |2| and Theorem 0 
above. A quite standard direct proof also exists by using classical logic and a 
weak form of the axiom of choice: one shows that if A 1/ T, then there is an ideal 
element x such that X C x but xP\Y = 0. This is done by showing that the 
maximal filter F containing AA and disjoint from \f/Y in the generated lattice 
L(A) is prime. The ideas used in such a proof seem to come from Birkhoff |2|. 

It is worth noting a number of consequences of Theorem El First, if we start 
from a set of pairs {(A^, 4) | i € /}, then the least entailment relation generated 
by it can be described as A h A if and only if for any x, if A C x, then x fl A is 
inhabited, where x is an ideal element determined by {(Ai,4) | i G /}. 

Secondly, as a special case of Theorem El we have 0 h 0 if and only if the 
sequent structure does not have any ideal element. This is precisely when the 
generated distributive lattice L(A) is degenerated, i.e., 0=1. (However, a direct 
proof of this and the next remark is possible.) 
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Thirdly, from the proof of Theorem 0 we see that for any finite set X C A, 
there is an ideal element containing X if and only if X 1/ 0. 

Finally, notice that rule (C) is a form of the resolution rule. Thus, we get 
as a consequence completeness of resolution: a clause X \- Y is a, semantical 
consequence of a set of rules Xi h Yi, that is is valid in any model satisfying 
these rules, iff it can be deduced from these rules using (J), (IT) and (C). 

4 Clausal Logic and Hyperresolution 

The notion of clause is a basic concept in logic programming. A natural frame- 
work for reasoning about clauses, called clausal logic, is demonstrated in |T3E3| 
to play a fundamental role in disjunctive logic programming semantics. 

With respect to a sequent structure (A, h), a clause is a finite subset of A, 
and a clause set is a collection of clauses. An ideal element cc is a model of a 
clause uifxriM7f0.a:isa model of a clause set W if it is an model of every 
clause in W. There are three distinct notions of inference in clausal logic: 
and the “choice inference” For a clause set W and a clause u, we write 

1. W ^ M if every model of IT is a model of u. This is a model-theoretic 
concept, capturing the semantics. 

2. W u if either 0 G W, or u can be deduced from W using the so-called 
hyperresolution rule 

ui , Xi . . . a^i , X^ ai, , Gji F Y 

Ai,...,A„,T 

This is clearly a proof-theoretic, or operational, concept. 

3. {Xi, . . . , Xn} --^ u if {at I 1 < t < n} h u for any choice oi G Xi,a 2 G 
X 2 , ... ,an€ Xn. This is an intermediate notion: it uses the notion of arbi- 
trary choice. 

A result of m is that the three distinct notions of inference are equivalent 
to each other. 

Theorem 7 (Rounds and Zhang). Let (A,h) be a sequent structure. Let W 
be a finite clause set, and u a clause. The following three items are equivalent: 

1. W'^u, 

2. W h*,, u, 

3. W — > u. 

For any clause set C, we write fiC for the least clause set containing C and 
closed under hyperresolution. A disjunctive state is a clause set C such that 
C=1\C. 

The concept of disjunctive state is well-behaved on sequent structures m 

Theorem 8. For a sequent structure A, the set of all its disjunctive states under 
inclusion is a complete lattice. 

This theorem will be refined later, by giving a universal property of the lattice 
of disjunctive states w.r.t. the sequent structure (A,h). 
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5 Explicit Construction of Generated Frame 
Using Coverage 



It is possible to give an explicit construction of the generated frame from a 
sequent structure {A, h) through an appropriate coverage relation defined by a 
dual form of hyperresolution. 

For a sequent structure (^,b), consider the meet-semi-lattice (Fin(A),U,3) 
and the relation defined by {oi, X, 02 , X, , a„, X} X iff X h oi, . . . , a„. 
Note that no subscripts are used for the Xs here. Note also that if X h 0, then 
we have { } )^ X (one can take this to be the n = 0 case). This is clearly a 
coverage relation, according to Definition^ A )^-ideal is, by definition, precisely 
a subset U C Fin(A) such that 

— if X G U and Y A X, then Y G U; 

— if {oi, X, 02 , X, . . . , Qn, X} C U and X h oi, . . . , o„, then X G U. 



We call such > — ideals conjunctive states and write Hq for the set of all conjunctive 
states. For a set U C Fin(A), we write cU for the conjunctive state generated by 
U . Note that there is a conceptually simpler way to generate such a conjunctive 
state: first close U under finite super sets, and then add in all the Xs that are 
covered by some finite subset of the resulting set. We can do this because the 
only way to obtain a covered set is by removing at most one element from an 
existing set. 

There is also a useful proof-theoretic reading of the generated conjunctive 
state. For any set U C Fin(A), its generated state cU consists of all Xs that 
can be derive from assumptions from U by using supersets of sets in U and the 
unique rule of inference: 



, X . . . , X 

X 



provided X h oi , . . . , a„ 



By Theorem Q we immediately obtain that the set of conjunctive states 
under inclusion is the frame generated from the meet-semi-lattice (Fin(A), U, D) 
with coverage )^, which depends on h. We show that this frame has the required 
universal property for an interpretation. 



Lemma 1. Let H be any frame. There is a bisection between (finite) meet- 
preserving maps i : Fin(A) — >■ H that transforms covers to joins, and inter- 
pretations m : H. 



Proof. Suppose i : Fin(A) — ^ H preserves finite meets and transforms covers to 
joins. Define a map : A — >• Ff by letting TOi(a) := *({a}) for each a G A. We 
show that mi is an interpretation. Since i preserves finite meets and meet for 
Fin(A) is set union, we have, for any finite X C A, 



i{X) = ^( U {a}) = Aaex^({«}) = AaGjcm,(a) = Am^(X). 
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Suppose X \- Y, with Y = {ai, . . . , a„}. By the definition of 

{oi,X, 02,^2, GnjXy^^X. 

Since i transforms covers to joins, we have 

i{X) = i{X U {oi}) V • • • V i{X U {o„}) 

< z({ai}) V • • • V t({a„}) 

= Vmi(y). 

Therefore, Ami{X) < Vmi(Y), as needed. (Note that when X 0, the empty 
collection { } covers X, by definition. Transforming covers to joins in this case 
means i(X) = Y 0 = 0, which can be restated as Arrn{X) < Vmi(0)-) 

Suppose, on the other hand, that m : A — >■ i/ is an interpretation. We define 
a map im '■ Fin(A) — >• i? by letting im{X) := Am{X) for each X G Fin(A). 
By this definition, im automatically preserves finite meets. We show that it also 
transforms covers to joins. If {ai,X, G 2 ,X, . . . , an, X} >- X then by definition 
X \- ai, . . . , a„. Therefore, 

Am{X) < m({ai}) V m({a 2 }) V • • • V m({a„}). 

By distributivity, we have 

Am{X) = {Am{X U {oi})) V • • • V {Am{X U {a„})). 

This means = im{X U {oi}) V • • • V im{X U {a„}), which is exactly the 

required property of “transforming covers to joins” . 

It is clear that the given transformations i i — > rrii and m i — > im amount to 
a bijection. Kl 

By the previous lemma and the Coverage Theorem, we arrive at the next 
conclusion, which says that Hq is the generated frame from {A, h). 

Theorem 9. For any sequent structure (^, F), the set of its conjunctive states 
Hq is a frame under inclusion. Moreover, the interpretation mo : A — ^ Hq 
mapping a to c{a} is universal. Furthermore we have X \- Y if and only if 
Amo{X) < Vmo(Y) for all finite subsets X,Y of A. 

Lemma 2. Let X,Y eFm{A). Then c{X} Ac{Y} = c{X}Ac{Y} = c{XAY}. 

Proof. We show the non-trivial part that c{X} fl c{F} C c{X U T}. Suppose 
Z G c{X} n c{F}. Then one has a derivation tree for Z with supersets of X as 
leaves/premises as well as a derivation tree for Z with supersets of Y as leaves. 
One can use structural induction on derivations to show that the two derivation 
trees can always be put together to obtain a derivation tree for Z with supersets 
of X U F as leaves. Therefore, Z G c{X U F}. Kl 

The concrete notion of coverage allows a direct proof of the correspondence 
between ideal elements of {A, h) and completely prime filters of i?o, repeated as 
follows. 
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Proposition 1. Let ttiq : A — > Hq be the universal interpretation given in the 
previous theorem. If J is a completely prime filter of Hq then the restriction of J 
to A, that is the set TOq ^(J), is an ideal element of{A,\-). Conversely, if x is an 
ideal element then Q H is a completely prime filter such that x = 
where Jx ■= {u G Hq \ (3X C x) A mo{X) < tt}. 

Proof. Suppose J is a complete prime filter of Hq. We show that TOq ^(J) is an 
ideal element. Suppose X \- Y and X C Then mo{X) C J and so 

Amo(X) G J since J is a filter. Now Theorem 0 implies Atoo(W) < Vmo(l^), 
and so Vmo(T) G J. As J is prime, we have mo(6) G J for some b G Y. So 
Y n mg J) is inhabited. 

On the other hand, suppose cc is a ideal element. We show that Jx is a 
completely prime filter. It is easy to see that it is a filter. To show it is completely 
prime, we use the concrete representation of elements in Hq as conjunctive states. 
By Lemma El Amg(A) = c{A}. It suffices to show that if A C a: and c{A} C 
Ui), where Ui are conjunctive states, then there exists some Y C x and 
i G I such that Y G Ui. For this it is enough to notice that whenever we can 
apply the rule 



, X . . . a^i , X 
A 



provided A h oi, . . . , a„ 



and A C X then there exists i such that A, C x. Indeed there exists i such 

that Qi G X because x is an ideal element. Kl 



As a result of TheoremEl we can talk about joins and meets of finite subsets 
of A, with the understanding that such operations are always carried out in 
the generated frame, Hq (or in the generated lattice L(A)). This is indeed the 
notational convention we adopt for the rest of the paper. AA stands for Amg(A). 

Call A A a semantical consequence of AAi, . . . , AA„ if for any ideal element 
X, X C X implies Xi Q x for some i. We have the following completeness result, 
which is dual to Theorem 0 



Proposition 2. Let Hq be the frame generated by (A,h). The following are 
equivalent in Hq: 

1. A A is a semantical consequence of AAi, . . . , AA„. 

2. AA < AAi V •• • V AA„. 

3. A h oi, . . . , a„ for any choice ai G Ai, . . . , a„ G A„. 

If we apply the construction Hq to the opposite of the relation h, which is 
also an entailment relation, but still use the same underlying meet-semi-lattice, 
we get the following result. 

Theorem 10. The complete lattice of all disjunctive states of (A, h) is the frame 
generated by (A, H). 

Proof. The elements of the frame generated by H are sets U of finite sets of A 
such that X G U whenever we have Ai, . . . , A„ G U with VAi A - • • AVA„ < VA. 
This is the same as the complete lattice of disjunctive states (see Sectional). ^ 
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In particular, there is a canonical correspondence between points of the frame 
of all disjunctive states and co-elements of the sequent structure {A, h). 

It is clear that the hyperresolution rule (Section^ is equivalent to the rule 



(Xl , X . . . Qjji , X 



provided oi , . . . , a„ \~ X 



together with the rule 

— provided X QY. 

A simple combinatorial argument on permutation of rules show that we can even 
suppose the use of this last rule limited to the leaves of the derivation tree. 

By duality, it follows from our results that X is derived by hyperresolution 
from Xi , . . . , Xn iff 

VAi A • • • A VX„ < VX 

holds in D or equivalently, in Hq. Using Theorem |2| for the spectral frame Hq, 
this is true if and only if any point of Hq containing VXi, . . . , VXji contains 
also VX, which means exactly that the clause X is a semantical consequence 
(Section^ of the clauses Xi, . . . , X„. We get in this way yet another derivation 
of the completeness of the hyperresolution rule. Theorem Q (see [1 212 , 'I j as well) . 
By soundness of the cut rule (C), which is nothing else than a form of the 
resolution rule, this gives a constructive proof that transforms any resolution 
proof into a hyperresolution proof. 

In particular this shows the equivalence between and the “choice infer- 
ence” — ■>, as stated in Theorem 0 There is, however, a direct proof of this 
equivalence. 



Proposition 3. We have Xi,...,X„ — ^ X if and only if X follows from 
Xi, . . . ,X„ by the hyperresolution rule. 



Proof. For the “if” part we refer to m- We prove the “only if” part by induction 
on the size X|Xi|. Let oi G Xi, . . . , a„ G X„. We claim that we can deduce all 
the clauses X, (1 < i < n) from Xi,...,X„ using the hyperresolution rule. 
The result follows then from 



Q.1 , X . . . On , X 

X 



provided oi , . . . , a„ h X 



Let us prove X, ai from Xi, . . . , X„; the other cases are similar. Notice that we 
have bi, ... ,bn F X, oi for any choice bi G X — {oi}, &2 G X 2 , . . . ,bn G X„. 
By induction hypothesis, we can deduce X, a\ from Xi — {oi}, X 2 , . . . , X„ and 
hence from Xi, . . . , X„. Kl 



6 Example: Spectrum of a Ring 

Let us give an example in algebra, that illustrates some of the notions introduced 
here. 

Let A be a commutative ring, and consider the entailment relation generated 
by the axioms 
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- hO, 

— x\- xy 

- X.y'r x + y 

- xy'r x,y 

- 1 h 

We have the following direct description of h. 

Theorem 11. X \- Y if and only if the product of elements in Y belong to the 
radical of the ideal generated by X. 

Proof. We prove first that the relation “the product of elements in Y belong to 
the radical of the ideal generated by X” is an entailment relation, which satisfies 
all the rules above. We analyse only the rule (C), the other rules being directly 
checked: assume that we have both X \- Y,a and a,X\-Y. Let y be the product 
of the elements in Y and I the ideal generated by X. We reason in A/ 1: by 
assumption ya is nilpotent (in A/ 1) and y belongs to the radical of the ideal 
generated by a. So we have m, n and x such that y" = ax and (ya)'^ = 0. This 
implies y'"(aa;)"* = = 0 and hence y is nilpotent in A/I . Hence X \- Y 

as required. 

It is direct that this entailment relation satisfies all the rules above. 
Conversely, if the product of elements in Y belong to the radical of the ideal 
generated by X, we can derive X h T using only the given axioms. Indeed, the 
first third rules show that X h y whenever y belongs to the ideal generated by 
X, while the two last rules show yi . . . y™ k yi, . . . , y^. Kl 

In the particular case where H is a ring of polynomials, notice that we recover 
“for free” the proof of the formal Nullstellensatz theorem presented in jlD] : the 
following items 

— xi , . . . , h y is a consequence of the above axioms, 

— y belongs to the radical of the ideal generated by a;i, . . . , 

— {y} can be derived from {a:i}, . . . , {xn} by hyperresolution 

are equivalent. 

An ideal element of this entailment relation is then exactly a proper prime 
ideal of A. Furthermore, if / is a radical ideal of A, then the set of finite subsets 
whose product is in J is a disjunctive state Uj. Conversely, if [/ is a disjunctive 
state, and I is the set of elements x such that {x} G U then / is a radical ideal 
such that U = Ui. 

7 Categorical Equivalences 

We extend our terminology first in order to adequately express categorical con- 
cepts related to sequent structures. 

We have a natural category Seq of sequent structures, where a map / : 
A ^ B is simply a map which preserves entailment: Xi h X 2 in A implies 
/(Xi) h /(X 2 ) in B. 
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Furthermore, any distributive lattice D (and hence any frame) defines a se- 
quent structure G{D) by taking X Y to mean AX < VY. This defines a 
functor G : Spec -A Seq from the category of spectral frames and an inter- 
pretation m : A ^ H is nothing else than a map A -A G{D) in the category 

Seq. 

If A, B are sequent structures, we define an approximable relation from A to 
B to be an interpretation m : A ^ Frm(i3) of A in the frame generated by B. 
Notice that, in view of Theorem 0 this can be seen as a relation h between 
finite subsets of B and elements of A satisfying the following conditions: 

— for any x G A the set of all F C S such that Y \- x is a. conjunctive state, 

— if we have xi, ... ,Xn \~a ui, ■ ■ ■ , Um and Y \- Xi, 1 <i <n then there exists 
Yi , . . . , Ym such that Yj\- Uj, 1 < j < m and Y Gb Ui, ■ ■ ■ ,ym ior any choice 
Vj e Yj, j = l,...,m. 

By standard categorical construction (see for instance El, Chapter VI, 5) we 
get that sequent structures with approximable maps form a category RelSeq. 

Similarly, we can introduce the category RelLat of distributive lattices, and 
maps m : D -A Idl(if), where Id I (if) is the frame generated by E. 

Theorem 12. The categories RelSeq, RelLat, Spec are equivalent. 

Proof. The equivalence between RelLat, Spec is standard (see 0, page 120), 
while the equivalence between RelSeq and Spec follows from the universal 
properties of the free frame construction (see for instance na. Chapter VI, 5, 
Exercise 2). Kl 

8 Concluding Remarks 

Sequent structures are the skeletons of propositional theories. A propositional 
theory can be reduced to a sequent structure by translating an entailment in- 
stance (fi V (fi 2 'f’l A "02 to simpler ones ipi h ipj {i,j G {1, 2}) repeatedly until 
only A appear on the left, and only V appear on the right (distributivity is used 
in this process). The remaining A’s and V’s can then be removed by virtue of 
sequents. Of course this process can be reversed; but we believe that working at 
the sequent level can in many cases avoid tedious syntactic details. 

It is possible to provide a similar treatment to infinitary sequent structures. 
These structures consist rules of the form A h V, with X finite and Y arbitrary. 
Any such structure can still be canonically embedded into a frame. However, 
completeness and compactness fail in this case. Except for the purpose of rep- 
resenting L-domains 1221 and of providing a connection to sober spaces, the 
significance of such a concept remains to be seen. We omit the treatment of 
them due to space limitations. 

We end by repeating the hope given in the introduction that this paper be 
a first step in exploring completeness of various logical systems by means of 
canonical embedding to locales. It should be interesting to develop richer tools 
for this purposes, in order to handle additional logical operators. The well-known 
Henkin construction for instance, has been investigated in this setting [I^ for 
linear logic. 
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Abstract. In the ambient logic of classical second order propositional 
calculus, we solve the specification problem for a family of excluded mid- 
dle like tautologies. These are shown to be realized by sequential simu- 
lations of specific communication schemes for which they provide a safe 
typing mechanism. 



1 Introduction 

Since the inception of the proof/program correspondence with the Curry-Howard 
isomorphism, one of the goals of proof-theory has been the interpretation of log- 
ical rules as programming instructions. Only recently has this correspondence 
been extended to classical logic, which is now explained as a typing system for a 
A-calculus augmented with a ‘call-with-current-continuation’ primitive, or some 
similar form of control such as an ‘exception handler’. This extremely interesting 
explanation, first promoted by Griffin |S] and Felleisen, now admits many vari- 
ants, as well as neat proof-theoretic renderings by Parigot 0 and Girard |2|, for 
instance. All these variants are given in terms of sequential languages, though. 

In this paper, we significantly depart from this tradition by interpreting a family 
of classical formulas, namely pure disjunctions of literals, as specifying synchro- 
nisation protocols. We contend, more generally, that this paradigmatic shift to- 
wards a concurrent reading of classical logic, gives rise to illuminating behavioral 
explanations. 

The programming language we’ll be using to make our point is a concurrent 
extension of a variant of Felleisen’s AC-calculus, so that the world of programs 
that formulas will be referring to will indeed be a world of concurrent processes. 
The ambient logic, i.e., the means of expressing behavioural specifications, will 
be classical second order propositional logic, equipped with only the following 
logical operators: — >■ and V. More comprehensive frames, such as second order 
predicate calculus or even Zermelo-Fraenkel set theory, are amenable to the same 
treatment, as shown in 0, but this simple logic suffices for our present purposes. 
Finally, the main and only tool we shall use is a revised version of the second 
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author’s realizability method, which itself is an adaptation of the Tait-Girard 
reducibility method. 

The gist of the interpretation is best understood with a simple example. Let’s 
consider the formula Gi = Vi?VS' [(i? — >■ S') V (S' — >■ i?)] . For one thing, we may 
recode implication as a disjunction and get a classically equivalent form of Gi, 
which is a pure disjunction of literals, namely Gq = Vi?VS [{-•R V S) V (-iS V i?)]. 
This last form is obviously true, so that Gi itself is a tautology. 

Conversely, the standard second order recoding of disjunction, yields a purely 
implicative formula, which is an intuitionistic equivalent of Gi, namely G = 
Vi?VSVX [((i? — >• S) — >■ X) — >• (((S — >■ i?) — >■ X) — >• X)] . This last formula can as 
well be reformulated as a rule: 

T,i?^ShX r,S^ Rh X 

G 

r h X 

The operational explanation developed in this paper for such rules is as follows. 
Suppose we have two processes Pi[ki], P2[k2], both of type X, with free vari- 
ables, or channels, fci, ^2, of respective types R ^ S and S ^ R. By the rule 
above we can build a compound process of type X, say [Pi j P2], within which 
ki, k2 are bound. Close examination with the realizability tool shows that the 
computational behavior prescribed by G is the following: [Pi | P2] starts run- 
ning both Pi and P2 concurrently; if both get locked in requesting values for 
their free variables, k\ and ^2, their states can then be described as {ki)vRTrs 
and {k2)vs'!TR, where vr, vr are some terms and ttr, ttr are some sequences, or 
stacks of terms; [Pi | P2] then resumes the computation by running (vs)tts and 
{vr)ttr concurrently. 

That G is a tautology amounts to saying, according to our interpretation, that 
this cross communication scheme is well-typed, in that if, as expected, vr, vr are 
of respective types R and S, and if ttr, ttr are providing suitable environments 
in which to evaluate any term of respective types R and S, then both (vr) 7 tr 
and (vr)ttr will interact correctly. 

This paper gives theoretical support to such concurrent computational expla- 
nations. A detailed construction of the framework, language, types and the re- 
alizability tool is given first. We then exercise that tool to extract concurrent 
behavioral specifications from a few tautologies, such as G, which is the simplest 
interesting example. Eventually, we home in on a quite general result explaining 
the family of purely disjunctive tautologies as synchronisation protocols. 



2 Terms, Types and Models 



In this preliminary section we first define our language, and the logic which types 
it, and then set up the suitable notion of realizability interpretation. 
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2.1 The Programming Language 

We first define the set A of terms, denoted t, and the set U of stacks, denoted 
7T, with the following grammar: 



t = X, {t)t, t I t, Xx.t, KX.t, *t, * 7 T 
7T = e, t • 7T 

We then define executables as finite multisets on Ax II, still denoting | the mul- 
tiset constructor. By definition this constructor is commutative and associative. 
Those executables are equipped with an evaluation relation, written and de- 
fined as the smallest preorder on the set of executables which is compatible with 
I and such that: 



{t)u, TT t,U- TT 


(push) 


t\u,TT >- t,Tr\u,TT 


(dist) 


{Xx.t),U ■ TT >- t[*ulx\. 


, 7T (l-store) 


*„,7T >- U,TT 


(l-load) 


{KX.t),TT t[*T^/x],TT 


(k-store) 


t • tt' t,TT 


(k-load) 



Note the analogy between the two binders, \x and kx. The first takes a snapshot, 
denoted of u, the current top element of the stack, stores it in x and pops 
the stack, while the second is taking a snapshot, denoted of the whole stack 
7T, stores it in a: as well, and leaves the stack intact. When comes in head 
position, it simply loads its value u, while throws the top element of the stack 
to its value. 

The usual cc construction can be recovered as Xh.Kk.{h)k, one interest of our 
variant formulation being that the analogy just noted is made more obvious. 

As an example, set 6 = kx.x, then for any tt, we get that loop: 

( 5 )< 5 , TT y S,S ■ TT >- *S-TT, 5 ■ TT 5,5 ■ TT. 



2.2 The Typing System 

Formulas or types, denoted A, B, . . . , are here second order propositional for- 
mulas. Typing judgements of the form xi : Ai, ... ,Xn ■ A„ h t : B, where t is a 
term and A\, . . . , A„, B are formulas, are generated by the following rules: 



r,x : A\- X : A 



r, X : A \- t : B 

: abs 

r h Xx.t : A ^ B 

r^t: A 
r\-t: yxA 



rht:A^B Bhu:A 
r\- {t)u : B 

r h f : VAA 
rh t : A[B/X] 
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r,x: A r^t: A B ^ u ■. A 

peifce cc mix ; paf 

r h Kx.t \ A r \- t\u A 

The quantification introduction rule, Vi, is subject to the constraint that X is not 
free in the context F . The first five rules give a standard presentation, known as 
natural deduction, for second order propositional intuitionistic logic. Alongside 
with the sixth rule, known as Peirce ’s law, we get one possible natural deduction 
presentation of second order propositional classical logic. The last rule, or the 
mix rule, is just there to add expressive power on the terms side. 



2.3 Truth Values and Models 

Let JL be a given set of executables, which, we assume throughout the paper, is 
closed by and |. That is to say: 1) if e G JL and e' >■ e, then e' G JL, and 2) 
if e G JL and e' G JL, then e | e' G JL. 

For any set of stacks Z, set Z — >■ JL to be the largest set of terms X such that 
A X Z C JL. Any such set of terms, which can be written as Z — >■ JL for some 
set of stacks Z, will be said to be a truth value. Two particular truth values are 
of special interest, the largest one A = 0 — >• JL, and the smallest one, denoted 
T = 77 — >■ JL. For any t, tt G JL, (*,r)f G T, so T is empty iff JL is. 

Given a choice of JL, we can extend any map |.|^ : Var — >■ 2^, from propositional 
variables to 2^, to a map |.|“ : Form{2^) — >■ 2^ , from formulas with parameters 
in 2^ to 2^ , as follows: 

|z|- = z 

i^r = i^io 

|A^7?|- = (|A|-^A).|77|- 

\yXA\- = Uz\A[Z/X]\- 

In the last clause, the union is meant to range over all subsets Z of 77. For 
instance, we get |VAA|“ = U|Z|“ = UZ = 77, so that |VAA| = T. 

We then define the dual map |.| : Form{2^) — >■ 2"^ simply by putting: 

\F\ = \F\-^±, 

so |F| is always a truth value. Moreover, when F is closed, its value, |F|, only de- 
pends on the choice of JL. Such valuations of classical formulas can be factorized 
through a ‘not-not’ translation to intuitionistic formulas. 

When JL = 0 , it is easily seen that |.| can only take two values, namely 0 and 
A, and that, for any closed formula F, |F| = A iff 7^ is valid. In this special 
case the model collapses down to the usual notion of two-valued model. The 
generalization of this fact to any choice of JL is known as the adequacy property: 

Proposition 1 Let xi : Ai,. . . ,x„ '■ An h t : B be derivable, JL be any set of 
multisets on Ay. II closed by and |, and l.lfj" be any map from propositional 
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variables to 2^ , then, for all vi G \Ai \,. G \An\, and for all ir G \B\ , 

t[vi/xi, . . .,Vn/Xn],Tr G JL . 

Proof. The proof is by induction on the typing derivation of t. To ease the 
reading of the proof, we’ll simply write A and A~ for |A| and and t[vi/xi] 
for t[vi/x\, . . . ,Vnlxn]. We also skip the axiom and quantifier rules, which are 
trivial, and use no assumption on JL. 

1. Application: ^ ^ 

By induction t[vi/xi] G A ^ B = A ■ B~ — >• JL and u[vi/xi] G A, so that 
t[vi/xi],u[vi/xi] • 7T G JL. But: 

{t)u[v^/Xi],TT = {t[Vi/Xi])u[Vi/x,,],TT >- t[v^ / Xi], u[Vi/ Xi] ■ 7T, 

JL being closed by (push), we deduce {t)u[vi/xi],n G JL, qed. 

2. Abstraction: rhXx^^l^B ■ v G A, Vi G Ai, tt G A~ and tt' G B~ . 

We have *t,,7r ?;,7r, JL being closed by (l-load), we deduce G A. So, by 

induction, t[vi/xi][*y / x],'k' G JL. But: 

(Ax.t)[vi/xi],v ■ tt' = {Xx.t[vi/xi]),v ■ tt' >~ t[vi/xi][*y /x],tt' , 

JL being closed by (l-STORe), we deduce {\x.t)[vi/ Xi],v • tt' G JL, qed. 

3. Peirce: ^ ■ Pick v G A, Vi G Ai, tt G A~ and tt' G B~ . 

We have v ■ tt' y v,tt, A. being closed by (k-load), we deduce G A — >• B. 

So, by induction, t[vi/xi][*T^ / x],tt G JL. But: 

{KX.t)[Vi/Xi\,TT = {KX.t[Vi/Xi]),TT >- t[Vi / Xi][*.,, / x], TT , 

JL being closed by (k-STORe), we deduce {Kx.f)[vi/ Xi],TT G JL, qed. 

4 Mix- -ChtiA rht'-.A 

a. iVilX. ■ 

Pick Vi G Ai and tt G A~. By induction, t\vijxi\,TT and t'\vijxi\,TT G JL, so, JL 
being closed by |, we get t[vi/xi],TT \ t'[vi/xi],TT G JL. But: 

{t\t')[Vi/Xi],TT = t[vi/Xi] \t'[vi/Xi\,TT >- t[Vi / Xi],TT \t' [Vi / Xi], TT , 

JL being closed by (dist), we deduce ft \ t')[vi/xi],TT G JL. □ 

The proof is perfectly modular, each listed case calling on its own closure condi- 
tions on JL which we have carefully recorded. Indeed, this proof, in some sense, 
describes a set of computation rules which are compatible with the typing sys- 
tem. 

3 The Specification Problem 

We can now put to good use this adequacy result. Careful choices of JL result 
in proving normalizability results, which has been the traditional application of 
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adequation. Here, we’ll be using it in a somewhat different way, to solve the 
so-called specification problem. That is, given an F, is there any computational 
behavior which all terms of type F have in common ? 



3.1 Booleans 



Let’s start with a very simple example: B = MX \X — >■ {X — >■ X)]. 

From now on, as in the adequation proof, we’ll simply write A and A~ in place 
of |H| and |H|“. The particular choices we’ll make for _1L will always be closures 
by and | of a given generating set of executables. 

Proposition 2 Let \- t : B be derivable, then for all terms a, b and for all stack 
TT, tab,TT evaluates into a multiset on {(a, tt), (&, tt)}. 

Proof. Indeed, let a, b be terms and tt be a stack. Take JL to be the closure of 
{(a, 7t), (6, 7t)} and set X~ = {tt}. Then, a and b G X, hence, by adequation, 
t, a • 6 • 7T G JL, so that by (push), tab, tt G JL. □ 



For instance t = Xx.Xy.x \ Xx.Xy.y : B does behave in this way, since tab,n >~ 
a, 7T I 6, TT. 

One can refine a specification. Though we didn’t develop the formal material 
pertaining to predicate calculus, the following should be pretty self-explanatory. 

Consider a language C with two individual constants, 0 and 1, set: 

Bx = MX [XO ^ {XI -G Xx )] , 

and suppose F t : HO. Take then JL to be the closure of {(a, tt)} and set XQ~ = 
{tt} and XI = A. Clearly a G JLO and 6 G JLl, so that t,a-&-7r G JL, and hence, 
by (push), ta6, tt G JL. So we get: 

Proposition 3 Let F t : BO be derivable, then for all terms a, b and for all 
stack tt: tab,TT evaluates into a multiset on {(a,7r)}. 

Informally, this last proposition says that any t : BO behaves as a certain num- 
ber of Xx.Xy.x running concurrently. A property which one might think of as 
computational consistency for our system. 

To recap, adequation gives a means of decoding the behavior specified by a 
given formula with respect to a given language. This here is the main thrust. 
Conversely, one can use it to refute typability. For instance, the proposition 
above shows in particular that t = Xx.Xy.x \ Xx.Xy.y can’t be of type BO, nor 
can be any term with the same behaviour. 
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3.2 The Excluded Middle 

Set T = yxyRiS [((i? — >■ S') — >■ X) — >• ((i? — ^ X) — >• X)], which is the usual im- 
plicative coding of the excluded middle, Ti = Vi?VS [(i? — >■ S) V i?]. 

We want to show: 

Proposition 4 Let \~ c : T be derivable, then for all terms p, <j, r and for all 
stacks 7T, 7T/J and its, such that for all terms a and b, pa,Tr >~ a,r ■ ns and 
ab,n b,nn, cpa,n evaluates into a multiset on {(r, 

Proof. Let p, a, r, n, n^ and ns be as above. Take for _1L the closure of {(r, ttjj)}, 
and set R~ = {TTi^}, S~ = {tts} and X~ = {tt}. 

First, we have r G R. Let now a G R ^ S, hy definition a,r ■ ns G _1L, so by 
_1L being closed: p, a ■ n G JL, hence p G {R ^ S) ^ X. Likewise, if b G R, by 
definition, b, n^, G JL, so by JL being closed: a,b - n G JL, hence a G R^ X. By 
adequation we get: c, p • a ■ n G JL. □ 



This specification can be rendered informally as follows: c launches two executa- 
bles, or two independent processes, p and cr, passing over to each a variable, a 
and b respectively, and a same context n; if both processes stop on these vari- 
ables, c sends p’s top stack element to a, via b, so that a runs again, while p 
dies. 

Let’s run an example. We set {{c)p)a = Kk.{a)Kh.{k){p)h, and by typing k : 
X ^ R and h : R ^ S, we do have cpa : JL as it should. If p and a behave as 
in the proposition, we then get the following interaction: 

cpa,n >- {a)Kh.{*Tr){p)h,n 

>~ Kh.{*^){p)h,nji 

>~ {*7r){p)*^R,TTR 

*7VR,r-ns 
>~ r,nn, 

with the expected result. And thus we get one possible sequential implementation 
of the specification. It can be observed that, in this particular example, cr is 
run first, which means that T can’t be understood as specifying an exception 
handling mechanism where a would be the handler ! 

A particular case is when cr = Xx.x, which at the level of types means X = R. 
The behavior is now, if ever pa,n y a, r ■ ns, then {{c)p)\x.x,n evaluates to a 
multiset on {(r, TTi?)}. If we further assume that all terms involved are sequential, 
i.e., none involve the | operator, then we simply get {{c)p)\x.x,n r,n, which 
is the behaviour of cc. In that T\R/X] is trivially equivalent to Peirce’s law; this 
shouldn’t be too much a surprise. 




Disjunctive Tautologies as Synchronisation Schemes 299 



3.3 The Symmetric Excluded Middle 

We return to G, already presented in the introduction. This formula is not 
intuitionistically valid, and the logic obtained when adding it to intuitionistic 
logic is that of formulas which are true in any linear Kripke model. What we set 
up to prove is: 

Proposition 5 Let \~ c : G be derivable, then for all terms p, a, r et s and for 
all stacks it, tt/j and ns, such that for all terms a and b, pa,n >- a,r ■ ng and 
ab, n b,s ■ ng, cpa, n evaluates into a multiset on {(s, ng), (r, ng)}. 

Proof. Let p, a, r, s, n, ng and ng be as above. Take for JL the closure of 
{(s,7Ts), (r.TTfl:)}, and set R~ = {ng}, S~ = {tts} and = {tt}. 

For one thing r € R and s € S. 

Let now a € R ^ S,hy definition a, r-ng € JL, so by JL being closed: p, a-n G JL, 
hence p G {R ^ S) ^ X. Symmetrically, cr G (S' — >■ i?) — >■ X. Whence by 
adequation we get: c, p ■ a ■ n G X. □ 

An example is {{cg)p)a = .{p)Xx^.{k){a)Xy^ .x : X or eg the symmet- 

ric form exchanging a and p. When p and cr behave as in the proposition, 
{{cg)p)a, n y r -ng, whereas {{cg)p)a, n s-ng. 

In pure propositional calculus, there is no means to discriminate between these 
two behaviours. As in the case of the boolean type, we can refine the specification 
in predicate calculus, by decorating G as: 

Vi?VS [{yxRx -G yxSx) V \/x{Sx ^Rx)]. 

Then all terms of that type will behave as cg does. 

Note also that, since T trivially implies G, there is a form of compatibility 
between the two specifications. 

We don’t rerun the operational explanation given in the introduction. Let us 
observe, yet, that the proposition is not saying that any c of type G is imple- 
menting the cross communication mechanism. In fact that can’t be the case since 
sequential proofs, such as the one above, just can’t express it. But some proofs 
will, such as cg\cg. Admittedly, the implementation is not very elegant. The 
reasonable thing to do, then, seems to extend the language with a new suitable 
primitive. One subtle point yet is that the naive rule: 

[a, r • 7TS I 6, s • TTfi I . . .] )^ [r, TTfl I S, TTS I . . .] , 

would be wrong in that r, s might respectively contain a and b, so that both 
executables r, ng and s, ng might know a and b and could subsequently deadlock 
by calling on the same channel. 

One other desirable thing would be a general specification result about T- and 
G-like formulas, perhaps giving some insight on why they should specify a means 
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of synchronisation, and explaining as well what other schemes are typable. This 
is the object of the next and last subsection. 



3.4 Disjunctive Tautologies 

Let’s consider a finite family of formulas Ai, i G I, each of the form: 

Ai = Bii {Bim Ci) . . .), 

where B^jS and CjS are all propositional variables, and set A to be the universal 
closure of VjAi. Such an A will be called a purely disjunctive formula. 

We define the truth set of A, denoted tr{A), to be the set of triples i,j, k such 
that Bij = Ck- Rewriting all implications in A as disjunctions yields a classi- 
cally equivalent formula which is the closure of a disjunction of literals, namely 
(V-'Bij) V Ck, whence A is valid iff its truth set is not empty. 

Conversely, by the standard second order encoding of disjunctions as implica- 
tions, we can obtain an intuitionistic equivalent of A, which we still denote A in 
the proposition below. 

Both T\ and Gi, we already ran into, are purely disjunctive; a simpler example 
is y = VT [A ^ A], and a longer one is: 

W = VABC [{A ^{B^ G)) V (G ^ A) V (G ^ B)] . 

The special thing about them is: 

Proposition 6 Let A he a purely disjunctive formula and let \~ c : A he deriv- 
able, then for all terms pi, bij and for all stacks TTi, such that for all terms a, 
Pia,TT >- a,bii- ■ - birn - TTi, cpi...pn,TT cvaluatcs into a multiset on {{bij,7Tk) : 
i,j,kG tr{A)}. 

Proof. Note that if A is false, then, hopefully, h c : T is not derivable, and the 
statement then vacuously holds. 

The proof goes the usual way. Take for _1L the closure of {{bij,TTk) : i,j,k G 
tr{A)}, set X~ = {tt} and C~ = {iTk : Ci = Ck}- 

First we observe that bij,TTk G -U- whenever Bij = Ck, hence bij G Bij if there is 
some k such that i,j, k G tr{A). If not, we simply take Bij = A. In all cases, we 
now have bij G Bij. 

Let a G Ai, then a, bn ■ ■ ■ bi„^ • TTi G JL, and so does pia, n, hence pi G Ai ^ X. 
Therefore, cpi .../?„, tt G JL. □ 

If we consider any protocol generated by V, then we see it is sequential, c merely 
feeding in p with the identity, should p ever stop on a. In fact, V is intuitionisti- 
cally valid, and any intuitionistic proof of a purely disjunctive formula generates 
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a dummy protocol, by the . . . disjunction property. That is, intuitionistic terms, 
even using |, can only fork and will never synchronise back their threads. In fact, 
I itself behaves like this and can be thought of as a degenerated synchronisation 
scheme associated to the disjunctive formula T V T, where T stands for the 
logical constant ‘true’. 

Next, if we turn to W, we see that associated protocols can be non linear and 
non deterministic either. Specifically, if our three processes are blocked as in 
piai, 7 T >~ ai,VA-VB-TTc, P202, 7 T y a 2 ,vc- 7 TA and P3a3,Tr 03, then com- 
munication could be implemented by launching concurrently vc, t^c and Vq,ttc, 
or by launching one of them only, etc. There is room in such a specification for 
creating dynamic patterns of synchronisation. 



4 Conclusion 

So what ? We have shown disjunctive tautologies have as realizers AK-terms 
which are dying to be read as sequential implementations of more abstract con- 
current programs, namely synchronisation schemes. We didn’t, as the referrees 
would point out, develop those concurrent programs in an independent syntax 
such as the pi- or the join-calculus [Z|. That remains to be done. We didn’t 
either bring in any concrete concurrent example backing the expressiveness of 
these schemes. As all synchronisations here are by construction deadlock-free 
they shouldn’t be expected to have imme nse expressive power anyway. 
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Abstract. The equational properties of the least fixed point operation 
on (lli-) continuous functions on (oj-)complete partially ordered sets are 
captured by the axioms of iteration algebras, or iteration theories. We 
show that the equational laws of the binary supremum operation in con- 
junction with the least fixed point operation on (or-)continuous functions 
on (oj-)complete semilattices have a finite axiomatization over the equa- 
tions of iteration algebras. As a byproduct of this relative axiomatizabil- 
ity result, we obtain complete infinite equational, and finite implicational 
axiomatizations. 



1 Introduction 

Consider the language of /i-terms given by the syntax 

n— times 

r ::= X I | T -b T | 0 | /xx.T 

where x ranges over a countably infinite set of variables, and for each n > 0, cr 
ranges over a set of n-ary function symbols. Such terms may be interpreted as 
(w)-continuous functions on (w-)complete semilattices, or as monotonic functions 
on complete semilattices A, where -I- denotes the supremum operation, 0 denotes 
the least element of A, and where terms of the form ^x.t denote least (pre-)fixed 
points. We show that under these interpretations the valid equations between 
/r-terms possess a finite axiomatization over the axioms of iteration algebras (or 
iteration theories) 0, which capture the equational properties of the least fixed 
point operation on (w-) continuous or monotonic functions. We prove that the 
following set of equations is relatively complete, where for any /r-terms t, t', t <t' 
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is an abbreviation for t + t' = t'. 

x+ {y + z) = {x + y) + z (1) 

x + y = y + x (2) 

a; + 0 = a; (3) 

yx.x = 0 (4) 

cr(a;i, . . . ,a;„) < cr(a;i + 2 / 1 , . . . ,a;n + y„), cr G r„, n > 0 (5) 

yx.t < fix.t + t' (6) 

y.x.x + y = y (7) 



(As usual, the scope of the prefix yx extends to the right as far as possible. The 
equation 



a; + X = a; (8) 

is a consequence of the above axioms and those of iteration algebras. Note that 
(0 is an equation scheme. Equations © may be replaced by the equation scheme 
(d.) As a byproduct of our relative completeness result, we obtain complete 
infinite equational and finite implicational axiomatizations. In fact, it follows 
that the system consisting of the equations the Conway equations 

yx.t[t' /x] = t[yx.t![t/x\/x\ (9) 

yx.t[x/y] = yx.yy.t, (10) 

and an equation associated with each finite (simple) group is complete. (Group- 
equations for /i-terms were introduced in m as a generalization of Conway’s 
group-equations for regular languages, cf. m- The completeness of the Conway 
equations and the group-equations for iteration algebras extends Krob’s result 
m who confirmed a longstanding conjecture of Conway m about the axioma- 
tization of the equational theory of regular sets.) By recent advances in the study 
of iteration theories in, it follows that the implicational system consisting of 
dU - ®, 0 , 0, the fixed point equation 

yx.t = t[yx.t/x] (11) 

and the least pre-fixed point rule (or fixed point induction) |24I3] 

t[y/x] <y ^ yx.t <y (12) 

is also complete. This result is analogous to Kozen’s axiomatization m of the 
equational theory of the regular sets that improves on Salomaa’s axiomatiza- 
tion which is not a pure implicational system and is not sound in most 
of the natural models. We also show that there is no finite equational axiom- 
atization and establish the existence of a polynomial time decision algorithm 
for the validity of equations. Along the way of proving these results, we give 
a concrete description of the free algebras in the corresponding variety of iter- 
ation algebras. This description uses simulation equivalence classes of regular 
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synchronization trees gSEBl- Thus, our axioms are also sound and complete for 
simulation equivalence of (regular) processes, connecting our work to a large 
body of axiomatization results in process algebra, of which \mmvA is only a 
small sampling. 

2 The Models 

2.1 Preiteration Algebras 

Terms, or fj,-terms over a signature S are defined by the syntax 

n— times 

T ::= a;|cr(T, ... ,T) \^ix.T, 

where x ranges over a countably infinite set X of variables, and for each n > 0, 
(j ranges over En. Thus, the terms given in the Introduction may be regarded 
as ^-terms over the signature obtained by adding the binary letter + and 
the constant 0 to if. A term with no occurrence of a prefix fix is called finite. 
Free and bound variables in a term are defined as usual. We identify any two 
fj.-terms that differ only in the names of the bound variables. Moreover, for any /i- 
terms t,t\,. . . ,tn and distinct variables X\, . . . , Xn, we write t[ti/xi , . . . , tnixn] 
or t\ti,... ,tnjx\,... ,Xn] for the term that results from t by simultaneously 
substituting ti for Xi, for each i € [n]. Since we may assume that the bound 
variables in t are different from the variables that have a free occurrence in 
the terms ti, no free variable in the ti may become bound as the result of the 
substitution. 

A preiteration E-algebra is a set A together with an assignment of a function 
tA '. A^ — )► A to each term t over E subject to the following rules: 

1. For each variable x and a G A^ , xa{o) = a{x), i.e., xa is the projection 
A^ — >■ A corresponding to x. 

2. If a,5e are such that a{x) = b{x) for all variables x with a free occur- 
rence in t, then tA(a) = tA{b). 

3. For all terms t,t\,... ,tn and a G A^ , {t[ti/xi, . . . ,tn/xn])A{a) = tA{b), 
where b{xi) = (<i)^(a), i G [n], and b{x) = a{x), if x ^ {x\, . . . , Xn}- 

4. For all terms t,t' and variable x, if tA = t'A, then {p.x.t)A = {fJ-x.t')A- 

When a(x) = G A, for each variable x G V, where V G1 X contains the free 
variables of t, below we will often write tA{ax/x) or just t{ax/x) for tA{a). When 
t has no free variable, we also write tA. A homomorphism A — >■ i? of preiteration 
A-algebras is a function h : A ^ B such that tA{ax/x)h = tgiaxh/x), for all 
terms t and G A, x G X . If A and B are preiteration i7-algebras such that 
A is a subset of B and the inclusion of A into B is a, homomorphism, we call A 
a sub -preiteration A-algebra of B. Moreover, if /i is a surjective homomorphism 
A ^ B, then we call B a quotient of A. In particular, if 0 is a (preiteration 
if-algebra) congruence on A, i.e., 9 is an equivalence relation on A such that 
a{x) 9 b(x), X G X implies t{a) 9 t{b), for all terms t and a,b G A^ , and such that 
for all terms t,t' and if t{a) 9t'{a) holds for a G A^, then for any variable x. 
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{fj,x.t){a) 6 {fj,x.t'){a) for all a G A^, then the factor set A/0 can be turned into 
a preiteration 17-algebra in a unique way such that the quotient map A ^ A/ 9 
becomes a homomorphism. 

Example 1. Recall that an ta- continuous E-algehra is a i7-algebra A which is 
an w-complete poset such that the operations a a '■ A'^ — >■ A induced by the 
letters a G A7„, n > 0 are w-continuous, i.e., they preserve the supremum of 
any w-chain. Each w-continuous A7-algebra may be turned into a preiteration E- 
algebra such that if t = a(ti , . . . , tn), for some cr G En and terms t\, . . . , then 
tA{a) = aA{{ti)A{a), ■ ■ ■ , {tn)A{a)), for all a G A^ . Moreover, if t = p,x.t', for 
some variable x and /r-term t', then for each a G A^ , (/ra;.t)^(a) is the least (pre- 
)fixed point of the w-continuous function A ^ A, b i-A t'^{af), where G A^ 
agrees with a except that it maps cc to 6. A homomorphism of continuous E- 
algebras is a A-algebra homomorphism which is an w-continuous function. It 
follows that any homomorphism of oj-continuous A-algebras is a homomorphism 
of the corresponding preiteration A-algebras. 

Example 2. The previous example can be generalized. Suppose that A is a small 
(skeletal) category that has an initial object and colimits of all w-diagrams. 
Moreover, suppose that for each a G A„. a a is an w-continuous functor A" — >■ A, 
so that aA preserves colimits of w-diagrams. Then we may assign a functor 
tA '■ A^ — >■ A to each term t over E using initial fixed points. The set of objects 
of A thus becomes a preiteration 17-algebra. See |H] for details. 

A semilattice E-algebra (A, E, -I-, 0) has both the structure of a A-algebra (A, E) 
and the structure (A, -I-, 0) of a semilattice with zero. A homomorphism of semi- 
lattice A-algebras preserves the A-algebra operations, the semilattice operation 
-|- and the constant 0. An ordered semilattice E-algehra is a semilattice A-algebra 
which satisfies equations o, so that the operations are monotonic with respect 
to the induced partial order defined by a < 6 iff o -I- 6 = 6. Homomorphisms of 
ordered semilattice A-algebras are just semilattice A-algebra homomorphisms. 
Note that semilattice A-algebras form a variety of A+^o-algebras. This variety is 
axiomatized by the equations dU ” 0 and (0. Ordered semilattice A-algebras 
form a subvariety of semilattice A-algebras. 

An oj- continuous semilattice E-algehra A = (A, i7,-|-,0) is both a semilattice 
with zero (A, -|-,0) and an w-continuous A-algebra (A, A), equipped with the 
induced partial order. It follows that all countable suprema exist in A. Alter- 
natively, an w-continuous semilattice A-algebra is a A-algebra which, equipped 
with the induced partial order, is an w-continuous A-algebra. Homomorphisms 
of cj-continuous semilattice A-algebras are both semilattice homomorphisms and 
oj-continuous A-algebra homomorphisms. Since in an w-continuous semilattice 
A-algebra -I- is just the supremum operation with respect to the semilattice or- 
der, it follows that this operation is also cc-continuous. Thus, any w-continuous 
semilattice i7-algebra is an w-continuous A_|_ p-algebra. Also, any w-continuous 
semilattice A-algebra is an ordered semilattice A7-algebra, and any homomor- 
phism of w-continuous semilattice i7-algebras is an (ordered) semilattice E- 
algebra homomorphism. (For a different definition of continuous semilattices 
see [EE]-) 
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Suppose that t and t' are terms over E. We say that equation t = t' holds 
in the preiteration E-algebra A, or that A satisfies t = t' , if for all a G A^ , 
tA{a) = t'j^(a), i.e., when the functions and t'^ are equal. More generally, 
we say that the implication ti = t[ A ... A tn = t'^ t = t' holds in the 
preiteration H-algebra A, where t,t',ti,fi are terms over E, if for all a G A^ , if 
{ti)A{a) = {t'fi)A(a), for all i G [n], then t^(a) = t'^(a). 

A variety of preiteration E-algebras is a class V of preiteration A-algebras con- 
sisting of the models of some set E of equations between terms over E, i.e., such 
that a preiteration A-algebra A belongs to V iff A satisfies any equation in E. 
The set E is called an equational basis, or an equational axiomatization of V. It 
follows that each class /C of preiteration if-algebras is contained in a least variety 
V, the class of all models of the equations that hold in every member of /C. V 
is called the variety generated by 1C. See 0 for more on varieties of iteration 
algebras. 

2.2 Iteration Algebras 

Some nontrivial equations that hold in all w-continuous A-algebras are (0, 
(III3, (HU) given above. To define the group-equations, we need to extend the 
/^-notation to term vectors t = {ti, . . . ,tn) over E. Let x = {x\, . . . ,x„) be a 
vector of distinct variables. When n = 1, pLx.t is just the term vector of dimension 
1 whose unique component is p,x\.ti. We identify any term vector of dimension 
1 with its component. If n > 1, let x' = (xi, . . . ,x„_i), t' = (fi, . . . ,tn_i) and 
s = t'[iJ,Xn.tn/xn]- (Substitution into a term vector is defined componentwise.) 
We define 



pLX.t= (p,x' .S,{p,Xn.tn)[lJ-x' .s/x']). (13) 

The definition is motivated by the Bekic-de Bakker-Scott rule m It follows 
that for any w-continuous A-algebra A, term vector t = (fi, . . . , t„) of dimension 
n, and for any x = (xi, . . . ,x„) and a G A^, (px.t)A(a) is the least pre-fixed 
point of the map A" — >• A", b = (bi , . . . , 6„) H> t^(aj), where of course (x^) = 
bi, for all i G [n], and a^(x) = a(x), if x ^ {xi, . . . ,x„}. 

Suppose now that G is a finite group of order n with multiplication denoted •. 
Moreover, suppose that the elements of G are the integers in the set [n]. Given 
a vector x = (xi,... ,x„) of distinct variables and an integer i G [n], define 
i ■ X = (xi.i, . . . ,Xi.n). Thus, i • X is obtained by permuting the components of 
X according to the ith row of the multiplication table of G. The group- equation 
assoeiated with G is 

(/ix.(t[l-x/x],... ,t[n-x/x]))i = p.y.t[y/x,... ,y/x], 

where t is any /i-term over 17, 1/ is a variable, and where (/ix.(<[l • x/x], . . . ,t[n- 
x/x]))i is the first component of the term vector p,x.{t[l ■ x/x], . . . ,t[n ■ x/xj). 
An iteration E -algebra is a preiteration Z’-algebra satisfying ( 0 , m , as 

well as each group-equation. A homomorphism of iteration algebras is a preiter- 
ation algebra homomorphism. A sub-iteration algebra of an iteration algebra is 
just a sub-preiteration algebra. 
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Theorem 1. m The Lo-continuous E-algebras generate the variety of iteration 
E -algebras. 

Thus, an equation between terms over E holds in all iteration i7-algebras iff it 
holds in all w-continuous T'-algebras. 

The above definitions apply to the case that the signature is of the form E.^. q. In 
particular, any w-continuous semilattice 17-algebra is an iteration Al+^o-algebra. 
In it is proved that any “ordered preiteration A7-algebra” satisfying the fixed 
point equation and the least pre-fixed point rule is an iteration i7-algebra. Using 
this result we have: 

Proposition 1. Any preiteration E^ ^-algebra satisfying ^ - (0), the fixed 
point equation m and the least pre-fixed point rule hli\) is an iteration E+^q- 
algebra and satisfies and 0- 

For later use, we note 

Lemma 1. Suppose that A is a preiteration E+^-algebra satisfying ^ - 0), 
(01, (0, 0. Then for all terms t over E^^o, A satisfies the equation 

t<t[x + y/x\, (14) 

or equivalently, the implieation x < y ^ t < t[y / x\. 

3 The Completeness Results 

In this section we give precise formulations of the main completeness results of 
the paper. 

Theorem 2. An equation between terms over g holds in all vj- continuous 
semilattice E-algebras ijf it holds in all iteration E^^-algebras satisfying equa- 
tions (0) - (Q). 

Corollary 1. An equation between terms over U-|_ g holds in all oj- continuous 
semilattice E-algebras iff it holds in all preiteration E^ ^-algebras satisfying the 
Conway equations 0, iiud . the group-equations associated with the finite groups, 
and equations 0-0. 

Corollary 2. An equation between terms over U_|_ g holds in all oj- continuous 
semilattice E-algebras iff it holds in all preiteration E+^Q-algebras satisfying 
equations 0 - 0) 0> and the least pre-fixed point rule (Ell- 

Corollary 3. An equation between terms over U+^g holds in all vj- continuous 
semilattice E -algebras iff it holds in all preiteration E^ g-algebras satisfying 
equations 0 - 0, 0, 0, 0, (E31, and the least fixed point rule mi 

t[y/x] = y^ ixx.t < y, 



where t is any term over U+^g. 
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To prove Theorem |21 we first give a concrete description of the free algebras in 
the variety of iteration T’_|_^o“£^lgebras satisfying 0-0. In Theorem we show 
that the free algebra on a set A may be represented as the iteration Z’+^o-algebra 
of simulation equivalence classes of regular (U, A)-labeled synchronization trees. 
We then show in Theorem Q that each such free algebra can be embedded in an 
w-continuous semilattice if-algebra. Theorem 0 is an immediate consequence of 
these facts. 

4 Synchronization Trees 

In this section we consider a generalization of the usual notion of synchronization 
trees I23|. Suppose that T" is a signature and 4. is a set disjoint from E. We extend 
the rank function on if to if U A by defining the rank of each letter in A to be 

0. The resulting signature is denoted E{A). A {E, A)-labeled (synchronization) 
tree is a countable rooted hyper-tree (V,E,r) equipped with a labeling function 
A subject to certain conditions. Here, V denotes the set of vertices and E is the 
set of (hyper-)edges, so that each edge e G E has a source v G V and a target 
(ui, . . . , Vn) G lA", for some n > 0, called the rank of e. Accordingly, we write 
e : u — >■ (ui, . . . , u„), and call v and the Vi the endpoints of e. We require that the 
labeling function is compatible with the ranks, so that eA G E(A)„ whenever e 
has rank n ^ 1, and eA G EgUAuEi, A e has rank 1. Moreover, we require that 
the target of any edge labeled in Aq U A is a leaf. Each synchronization tree has 
an underlying directed graph defined in a straightforward way. 

If S' = (V,E,r,A) and S' = (V', E', r', A') are (A, A)-labeled trees, a simulation 
S — >■ S' is a relation p : V ^ V' such that the roots are related, i.e., r pr', 
and for all e : v ^ (ui, . . . , u„) in E and v' G V' , if v pv' then there is an edge 
e' : u' — >■ (wj, . . . , v'„) with eA = e'A' and Vi pv[, for all i G [n]. A bisimulation 

5 — >■ S' is a simulation p : S — >■ S' such that p~^, the relational inverse of 
p is a simulation S' — >■ S. A funetional simulation is a simulation which is a 
function. It is obvious that the composition of simulations is a simulation. Thus 
(A, A)-labeled synchronization trees and their (functional) simulations form a 
category. 

Proposition 2. If p is a simulation S — >■ S', where S = {V,E,r,A) and S' = 
{V ,E' ,r' ,A'), then there is a functional simulation t : S ^ S' contained in p, 

1. e., such that (v, (vt)) G p for all v G V. 

Thus, there is a simulation S — >■ S' iff there is a functional simulation S — >■ S'. 
Suppose that S = (V,E,r,A) is a (A, A)-labeled tree and v gV. Let Vy denote 
the set of all vertices accessible from v along a path in the underlying directed 
graph of S. Let denote the set of all edges e : m — >■ (iti, . . . ,rt„) such that 
u G Vy (and hence u\,. . . ,Un € Vy), and let A„ be the restriction of A to Ey. 
The resulting (A, A)-labeled synchronization tree {Vy, Ey,v, Ay) is denoted Sy. 
We call Sy the subtree of S rooted at v. We let (A, A)T denote the category 
of all (A, A)-trees and functional simulations. Note that the isomorphisms in 
{E,A)T are the bijective functional simulations. Two subcategories of {E,A)T 
are also of interest: the category (A, A)F determined by the finite trees, and the 
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category {S, A)R determined by the regular trees. We call a tree regular if it has, 
up to isomorphism, a finite number of subtrees. Moreover, we call a functional 
simulation t : S ^ S' normal if for all vertices vi , V 2 of S, if and Sy^ are 
isomorphic, then so are S'y^^ and S'y^^. The proof of the following proposition is 
omitted. 

Proposition 3. Suppose that S and S' are trees and p is a functional simulation 
S ^ S' . Then there exists a normal functional simulation t : S ^ S' . 



Proposition 4. [S| The category (S,A)T is countably cocomplete. 

Colimits can be constructed in the expected way. If Si = (Vi, Ei,ri, Xi), i = 1,2 
are trees, then the coproduct Si + S 2 is the disjoint union of the Si with the 
distinguished vertices identified. The coproduct injections are the obvious em- 
beddings. See 0 for a formal definition of Si + S 2 . The empty coproduct, i.e., 
initial object is the tree 0 with a single vertex and no edges. In addition to coprod- 
ucts, we will use colimits of w-diagrams {Sn, fn)n>o, where S„ = {Vn, E„, rn, A„) 
and fn ■ Sn ^ Sn+i- The colimit (h„ : — >■ S') can be constructed at the level 

of sets. 

From now on, we identify isomorphic trees, so that we may regard {S,A)T, the 
category of {E , A) -trees and functional simulations, as a small skeletal category. 
For each a G we define the functor ct(^x:,a)t • (Af, A)T" -A {E, A)T as follows. 
Given trees Si, ... , S„ with roots ri, . . . , r„, respectively, <J(^x:,A)TiSi, . . . , Sn) = 
(t(Si, . . . , Sn) is the tree obtained from the Si by taking their disjoint union and 
adding to this set a new vertex r and a new edge e : r — >■ (ri, . . . ,r„) labeled 
cr. Vertex r is the new root. On morphisms, U(s.a)t is defined in the expected 
way. When n = 0, (J(s^a)t is a tree with a single edge labeled a. The following 
fact is clear. 

Proposition 5. 0 Each functor iJ(^s,A)t E oj- continuous. 

Thus, since the functor -|- that forms binary coproducts is also w-continuous, 
using Example 1^ we have: 

Proposition 6. [H| The isomorphism classes of {E, A) -trees form an iteration 
E+fi-algebra satisfying the equations (0 - 0 and (H3) 

pLx.py.x + y -\- z = pLx.x + z. (15) 

We let {E,A)T denote this iteration V+^g-algebra. It is shown in 0 that the 
regular trees determine a sub-iteration V+^o-algebra of {E,A)Tt. We denote this 
algebra by (V,A)R. The finite trees determine a V+_o-algebra (V,A)F. The 
following result gives an algebraic characterization of (V,A)R. Let us identify 
each letter a € A with the tree which has a unique vertex and a unique edge, 
which is labeled a. 

Theorem 3. 0 (V,A)R is freely generated by the set A in the variety of iter- 
ation E+fi-algebras satisfying equations (CJ) - 0 and eg). 
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The meaning of this result is that for any iteration X'+^o-algebra satisfying o 
- 0 and and for any function h : A ^ B, there is a unique iteration 

T'+^o-algebra homomorphism : {B, A)R — ^ B extending h. There is a similar 
result for finite trees. 

Theorem 4. j0| (if, A)F is freely generated by A in the variety of algebras 
satisfying equations 0-0- 



4.1 The Simulation Preorder 

We will consider a preorder on trees. Suppose that S and T are (if, A)-labeled 
trees. We write S < T ii there is a (functional) simulation S ^ T. The equiva- 
lence relation induced by this preorder < is denoted =. Relation < is called the 
simulation preorder and = the simulation equivalence. 

Proposition 7. For all {E , A) -labeled trees S and S', we have S < S' iff S' = 
S + S'. 

Suppose now that for each variable x we are given trees S^ and with S^ < Rx ■ 
Then for any term t, since t(s,A)T is a functor {B,A)T^ -A {E,A)T, we have 
that t(s^A)T{Sx/x) < t(^s.A)T{Rx/x). 

Proposition 8. For all p-terms t over if+,o o,nd for all families of (if,T)- 
labeled trees (Sx)xex and (Rx)xex with Sx < Rx for x € X, it holds that 

t(S,A)T{Sx/x) < t(^s,A)T{Rx/x). 

Proposition 9. Suppose that s and t are p-terms over if+,o- If S(s,A)T{Ry/y) ^ 
t(^s,A)T{Ryly)i for all families (Ry)y^x o/ regular trees in {B,A)R, then also 

{,pX.s)(s,A)Ti.Ry/y) < {pX.t)^s,A)T{Ry/y), 

for all families R = {Ry)y^x of regular trees in (if, A)R, and for all x. 

Proof. For a family {Ry)y^x of regular trees, let F denote the functor (if, A)T -A 
{B,A)T, defined on objects by S' !->■ S(^x,A){Rs)- morphisms, F is defined in 
a similar way. Let G denote the corresponding functor using term t. Then = 
{px.s)(^x,A}T{Ry/y) is the colimit of the cj-diagram F"{io) : F"(0) — >■ ^”+^(0), 
where 0 is the empty tree and ig denotes the unique functional simulation 0 -A 
F{0). Also, Gfi = (px.f)(x,A)T{Ry/y) is the colimit of the w-diagram G"(jo) : 
G"’(0) — >■ G"+^(0) defined in the same way. It is easy to see that each F"(zg) 
and G"(jg) is injective, so that we may as well assume that each F"(ig) and 
G"(jo) is an inclusion, and that and G^ are the “unions” of the F”(0) and 
G”(0), respectively. Suppose that S is a finite tree with 5 < Fb Then there is 
some n such that S < F"{0). But it follows from our assumption on s and t that 
F”(0) < G”(0), so that S < G"(0) and S' < Gb Since F^ and G^ are regular, 
by Corollary E] proved independently, we have F^ < Gb □ 

By the previous facts, simulation equivalence is a congruence on (if, A)R. Let 
(if, A)SR denote the quotient (if, A)R/ =. 
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Proposition 10. (Ai', A)SR is an iteration S+fl-algebra satisfying (OP - 0- 

Proof. Since (17, A)SR is a quotient of (17, A)R, by Theorem0 (17, A)SR is an 
iteration 17+^o-algebra satisfying dO - ®- It follows from Proposition 0 that 
(17, A)SR also satisfies (0 and that the relation < is the partial order induced 
by the semilattice structure. By Proposition 0 also © holds. Thus, it remains 
to verify © and ( 0 . Equation follows from Exercise 5.21 in Chapter 8 of 
0. Equation 0 is obvious. □ 

Let (17, A)SF denote the subalgebra of (17, A) SR determined by the finite trees. 



Theorem 5. ini For each set A, (17,A)SF is freely generated by A in the 
variety of ordered semilattice E-algebras. An equation between finite E+^-terms 
holds in all algebras of simulation equivalence classes of (finite) (E, A) -trees iff 
it holds in all ordered semilattice E-algebras. 



5 A Characterization of Simulation Equivalence Classes 
of Regular Trees 

In this section we give an algebraic characterization of simulation equivalence 
classes of regular (17, A)-labeled trees. In the technical developments to follow, 
for any term t over 17_|_^o and for any integer fc > 0, we will use the abbreviation 
kt for the /c-fold sum of t with itself (where we take advantage of the associativity 
of +). When k — 0, kt is just the term 0. Moreover, we will write oot for the 
term fix.x + 1, where the variable x does not occur in t. 

A (17, A)-normal description of dimension n in the variables Xi, . . . , y\, . . . , 

Pp is an ordered pair D = (t,a), where t = (fi,... An) is an n-dimensional 
vector of terms over 17+.o in the free variables a;i, . . . . . . , j/p and a = 

(fli, . . . , Op) S AP. Moreover, each term f is primitive, i.e., a finite sum of terms 
of the form ka{xj^, . . . ,Xj^) or kyj, where fc yf 0, cr G Em, rn > 0, ji, . . . ,jm& 
[n] and j G [p\. (It is allowed that k = oo.) Let us denote x = (xi,... ,x„) 
and y = (yi, . . . , yp). The behavior of D, denoted |17| is the first component of 
(p.x.t)i^s,A)ii{a/y). Thus, the behavior of is a regular tree in (17, A)R. 

Each regular tree T G (17, A) R is known to be the behavior of a description 
D — (t,a). To construct D, let T\, . . . ,Tn be an enumeration of the subtrees 
of T with T = Ti, and let Oi , . . . , Op be an enumeration of those elements of 
A which appear as labels of some edges of T. We define t = (ti, . . . ,tn) and 
a = (oi, . . . , Up), where each ti corresponds to Ti in the following manner. Each 
edge e : v ^ {vi, . . . , Vm) whose source is the root of Ti is labeled by some symbol 
cr G Em or some component of a. Suppose that e is labeled a G Em, to > 0. 
Then let Tj.^,... ,Tj^ denote the subtrees rooted at the vertices vi, . . . ,Vm, 
respectively, and let k denote the total number of edges v ^ {v[, . . . , v'm) labeled 
cr such that the subtrees rooted at the vertices v'l, . . . ,v'm are isomorphic to the 
trees Tj.^ , ■ ■ ■ , Tj^ , respectively. (If there are an infinite number of such edges, 
then k = oo.) Then ka{xj., , ■ ■ ■ , ) is a summand of f. Similarly, if e is labeled 

Oj, say, then kyj is a summand of U, where k is determined in the same way. 



312 



Z. Esik 



Finally, if v has an outedge labeled a € Uq, then ka is a summand of ti, where 
k is the number of all such edges. The term ti is the sum of all such summands. 
We call the description D constructed in this way the canonical description of 
T. (Note that the canonical description is unique only up to a rearrangement of 
the components of t and a and renaming of the variables.) It is known that for 
each i, the ith component of {p,x.t){a) is the tree Ti. In particular, we have: 

Proposition 11. |S| For the canonical description D = (t, a) of the tree T G 
(27, A)R, it holds that \D\ = T. 

Theorem 6. For each set A, (27, A)SR is freely generated hy A in the variety 
of iteration {E , A) -algebras satisfying equations 0 ) - 0 - 

Proof. By Proposition mil (27, A)SR is an iteration 27+_o-algebra satisfying (P) - 
dzj. Suppose that B is an iteration (27, 2i)-algebra which also satisfies equations 
and suppose that /i is a function A ^ B. By Theorem 0 h extends to 
a unique homomorphism (27, A)R — >■ B that we also denote by h. If we can show 
that T <T' implies Th < T'h, for all trees T,T' G (27, A)R, then it follows that 
h factors through the quotient map (27, A)R — (27,T)SR. Thus, 

h = (27, A)R 4 (27, T)SR ^ S, 

where r is the quotient map. Using Theorem 0| it follows that h^ is the unique 
extension of to a homomorphism (27,^)SR -G B. 

So assume that T, T' are regular (27, >l)-labeled trees with T < T' . Let D = (t, a) 
and D' = {t' , a') denote the canonical descriptions of T and T', respectively, 
where t = {ti,... ,tn), t' = (t'l,... ,0, a = (ai,... ,Op), a' = (a'l,... 

Let xi, . . . , a;„, t/i, . . . , and x'^, . . . , x'.^,,y [, ... ,y'p, denote the free variables 
appearing in t and t', respectively, where each Xi corresponds to U, each yj to 
Qj, etc. Recall that each Xi also corresponds to a subtree Ti of T, and similarly, 
each x'i to a subtree T/ of T'. Since T < T', we have p < p' and {ai, . . . , Op} C 
{a'l , ... , Op/}, so that without loss of generality we may assume that a) = Oj, for 
all j G [p] . Let (fi denote a functional simulation T <T' . By Proposition |3 we 
may assume that p is normal. Thus, we can use ip to define a map if : [n] ^ [n'\ 
such that Ti < for each i G[n\.iiv is any vertex of T such that the subtree 
of T rooted at v is isomorphic to Ti, then we let iif be the integer in \n'] such 
that the subtree of T' rooted at vip is isomorphic to T/^. For each i G [n], let tiif 
denote the term that results from ti by substituting for Xj, j G [n], and y' 
for yj, j G [p], i.e., Utf = U[{x[.^,... ,x'^,^,y[, . . . ,y^)/(xi,... ,a;„,yi,... ,yp)]. 
Since p is a simulation, whenever kcr^xj.,^, . . . ,Xj^) is a summand of ti, where 
k ^ 0, there exists some k' ^ 0 such that fc'cr(a:'^,^, . . . , Xj^,p) is a summand of 
Also, if for some fc yf 0, kyj is a summand of ti, then there is some A:' yf 0 
such that fc'y' is a summand of It follows that with respect to equations m 
- ®, © and o, we have that tiif + = t'^,p, i.e., tiif < t\.^. Thus for each i 

there is some primitive term Si in the variables xi, . . . , x„, yi, . . . , yp such that, 
modulo the equations (P) - (0), JEI) and (0, we have 

{U + Si)tjj = t[,p, 



(16) 
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where (ti + Si)tjj is defined in the same way as tiip. Let r = (ri, . . . , r„), where 
Ti = U + Si, for all i € [n], and let R denote the first component of (/rx.r)(a). 
We use equations m to prove 

Lemma 2. There is a bisimulation R ^ T' . 

It was shown in |5| that regular trees in (if, A)R modulo bisimulation form an 
iteration algebra (if,A)BR freely generated by A in the variety of iteration 
if+,o-algebras satisfying ® - o and O- Thus, by Lemma |2| we have that 
Rh = T'h. On the other hand, by Lemma El Th < Rh. Thus, Th < T'h. □ 
In the next lemma we will say that an inequation (ti, . . . , tn) < (si, . . . , s„) 
between vectors of terms over holds in a preiteration if+^o-algebra, or in a 
class of preiteration if+^o-algebras, if each equation ti + Si = Si holds. 

Lemma 3. Suppose that t = (ti, . . . , tn) and s = (si, . . . , Sn) are term veetors 
in the free variables x\, . . . , a;„, yi, ■ ■ ■ , yp. Let x = (cci, . . . , Xn)- If t < s holds 
in the variety V of iteration S^fi-algebras satisfying m - 0, then so does 

pLX.t < pLX.S. 

Proof. By induction on n using m- The basis case holds by (0. □ 

6 An Embedding Theorem 

In this section we prove that for each set A, there is an w-continuous semilattice 
if-algebra B such that (L',A)SR can be embedded in B. We call a tree T G 
{B, A)T finitely branching if each vertex of T is the source of a finite number of 
hyper-edges. For a tree T G {E,A)T, we denote by K{T) the collection of all 
finite trees S with S <T. 

Lemma 4. Suppose that T,T' G (17, A)T such that T' is finitely branching. 
Then T <T' iff K(T) C K{T'). 

Proof. It is clear that K{T) C K{T') whenever T < T' . The reverse implication 
is obvious when T is finite. So assume that T is infinite, say T = (V,E,r,X). 
Let K{T) denote the collection of all trees S = {W, F,r, Xp) such that W and 
F are finite subsets of V and F, respectively, and the inclusion W ^ V de- 
termines a functional simulation 5 — )> T. Then let Tq = (Vq, Fo,r, Xq),Ti = 
{Vi, Fi,r, Xi), . . . be a sequence of trees in K{T) such that each vertex v £ V 
appears in all but a finite number of the Vi. Since KifT) C K(T) C K(T'), 
for each i there exists a functional simulation pi : R ^ T' . We show how to 
construct a functional simulation p : T — ^ T'. Let v denote a vertex in V. We 
define fp by induction on the depth of v such that v £ Vi and vp = vpi hold 
for an infinite number of the Fs. When v is the root r, we define vp = r' , the 
root of T' . Suppose now that the depth of v is positive. Let u denote the vertex 
such that there is an edge u — > (ui, . . . , Vm) in F with Vj = v for some j. By the 
induction assumption, there is an infinite set I such that u £ Vi and up = upi, 
for all i £ I. Moreover, by our assumption on the sequence T^, k > 0, there is 
an infinite set I' V I such that u is a vertex of R, for all i £ I', and since T' 
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is finitely branching, there is an infinite set I” C /' such that vpi is the same 
vertex of T', for all i G I" . Define vp to be this vertex of T' . □ 

Given an edge e : u — >■ (ui, . . . , Vn) of a tree S = (F, E, r, A), the vertices of the 
tree T determined by e are the vertex v and those vertices v' G V accessible 
from the vi in the underlying directed graph of S. The root of T is v, and its 
edges are those edges in E whose endpoints belong to the vertex set of T. The 
labeling function is the restriction of the labeling function A. We call a {E,A)~ 
labeled tree S reduced if for any two distinct edges e : v — >■ {vi,... ,v„) and 
e' : V ^ {v{, .. . , v'^) with the same source, the trees determined by e and e' are 
incomparable with respect to <, i.e., either e and e' have distinct labels or there 
exists some i G [n] such that Sv^ ^ Sy'. and Sy'. ^ Sy^ . 

Lemma 5. Suppose that S and S' are reduced (E , A) -labeled trees. Then S = S' 
ijf S and S' are isomorphic. 

Proposition 12. If S is a regular (finite, respectively) (E,A)-labeled tree, then 
up to isomorphism there is a unique reduced tree S' with S = S' . Moreover, S' 
is also regular (finite, respectively) . 

Example 3. Suppose that cr G Ei. Define cr°(0) = 0 and cr"+^(0) = cr(cr"(0)), 
so that each cr"(0) is reduced. Let T — J2n>o Then there is no reduced tree 
simulation equivalent to T. On the other hand, if Si, .. . , S^ are reduced, then 
there is a reduced tree simulation equivalent to Si Sk. 

By the above results, we may represent {E, A)SF as an ordered semilattice L’+,o- 
algebra of finite reduced (A7, Ai)-labeled trees. In the same way, (if, A)SR may 
be represented as an iteration Af+^o-algebra of reduced regular trees. Since any 
reduced regular tree is finitely branching, from Lemma 2] and Proposition 113 we 
deduce 

Corollary 4. Suppose that T, T' are {E, A) -labeled trees and T' is regular. Then 
T <T' iff K(T) C K(T'). 

Example There exist nonisomorphic trees T,S such K{T) = K{S). Indeed, 
let T = ^ ~ colimit of the w-diagram (cr”(0) — >■ 

Theorem 7. For each set A there exists an uj-continuous semilattice E-algebra 
B and an injective iteration E^Q-algebra homomorphism (A7, T)SR— >■ B. 

Proof. By Theorem |3 the algebra (if, A)SF of simulation equivalence classes 
of finite {E, T)-labeled trees is freely generated by A in the variety of ordered 
semilattice Af-algebras. Now (If, yl)SF is a “strict ordered algebra”, so that 
its completion B = (A7, Al)ISF by “w-ideals” is a w-continuous A7+^o-algebra 
satisfying every equation satisfied by (A7, Al)SF. In particular, (A7,A)ISF is an 
^-continuous semilattice Af-algebra. (In fact, it follows from well-known facts 
that (L’,A)ISF is the free w-continuous semilattice A7-algebra on A, see 0.) 
By Corollary El the map T/=i— >■ K(T), T G (A7, A)R is a well-defined injective 
function (E, A)SR — >■ B. We show that this function is an iteration A7+^o-algebra 
homomorphism. □ 
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7 Further Results 

By the Knaster- Tarski theorem, every monotonic function on a complete lattice 
has a least fixed point. Accordingly, one might wish to consider algebras over 
complete lattices equipped with monotonic or continuous operations, the binary 
supremum operation and the constant 0 representing the least element. The ax- 
ioms of Theorem El and Corollaries ID Q El are sound in these models. Moreover, 
every iteration algebra (A',A)SR can be embedded in an iteration algebra de- 
rived from a complete lattice equipped with continuous operations. Hence, our 
main results remain valid for these models as well. Also, the least fixed point 
operation may be replaced by the greatest fixed point operation provided the 
binary supremum operation is replaced by the infimum operation. Very little 
is known about the equational theory when infimum and supremum and both 
extremal fixed point operations are present. 

It is well-known that the problem to decide whether two finite transition sys- 
tems are bisimilar lies in P (see, e.g, m), in fact, it is P-complete, cf. 0. It is 
not difficult to show that the same holds for simulation equivalence. Now each 
/r-term t over A+ o can be transformed in logarithmic space to a finite transition 
system S{t) such that t = t' holds in w-continuous A-algebras for terms t,t' iff 
S{t) is simulation equivalent to S{f) (i.e., when the tree obtained by unfolding 
S{t) is simulation equivalent to the tree obtained by unfolding S{t').) In con- 
clusion, there is a polynomial algorithm to decide whether an equation holds 
in w-continuous semilattice A-algebras. Suppose that S contains a letter whose 
rank is not 0. Then iteration A-algebras do not possess a finite axiomatization 
in terms of equation schemes El- K is not difficult to modify the proof of this 
result to show that the variety generated by w-continuous semilattice A-algebras 
also do not possess a finite axiomatization. This also follows from the fact that 
Kleene algebras of binary relations (or regular languages) have no finite basis of 
their equations, see HOI or [3 for a recent improvement, but have a finite basis 
over the equations of iteration algebras and in fact relative to the equations 
of w-continuous semilattice A-algebras. 

As for related results to be published in a forthcoming paper, we would like to 
mention a similar treatment of continuous additiue E-algebras. The equational 
theory of these algebras is intimately related to that of the resource simulation 
equivalence classes of processes, or trees ims]. 

References 

1. L. Aceto, W.J. Fokkink and A. Ingolfsdottir, A menagerie of non-finitely based 
process semantics over BPA*: from ready simulation to completed traces. Math. 
Struct. Comput. Set., 8(1998), 193-230. 

2. L. Aceto, W.J. Fokkink and A. Ingolfsdottir, On a question of A. Salomaa: The 
equational theory of regular expressions over a singleton alphabet is not finitely 
based, Theoret. Comput. Sci., 209(1998), 163-178. 

3. J.W. De Bakker and D. Scott, A theory of programs, IBM Seminar, Vienna, 1969. 

4. J. Balcazar, J. Gabarro and M. Santha, Deciding bisimilarity is P-complete, Formal 
Aspects of Computing, 4(1992), 638-648. 



316 



Z. Esik 



5. H. Bekic, Definable operations in general algebras, and the theory of automata 
and flowcharts, Technical Report, IBM Laboratory, Vienna, 1969. 

6. D. Benson and J. Tiuryn, Fixed points in free process algebras, Theoret. Comput. 
Set., 63(1989), 275-294. 

7. S.L. Bloom, Varieties of ordered algebras, J. Comput. System Sei., 13(1976), 200- 
212 . 

8. S.L. Bloom and Z. Esik, Iteration Theories, Springer- Verlag, 1993. 

9. S.L. Bloom and Z. Esik, The eqnational logic of fixed points, Theoret. Comput. 
Sci., 179(1997), 1-60. 

10. J.H. Conway, Regular Algebra and Finite Maehines, Chapman and Hall, London, 
1971. 

11. F. Corradini, R. De Nicola and A. Labella, Tree morphisms and bisimulations, in: 
Proc. MFCS’98 Workshop on Concurrency, ENTCS, 18(1998). 

12. F. Corradini, R. De Nicola and A. Labella, A finite axiomatization of nondeter- 
ministic regnlar expressions, Theoret. Inform. AppL, 33(1999), 447-465. 

13. F. Corradini, R. De Nicola and A. Labella, Models of nondeterministic regular 
expressions. J. Comput. Sys. Sci., 59:412-449, 1999. 

14. Z. Esik, Completeness of Park induction, Theoret. Comput. Sci., 177(1997), 217- 
283. 

15. Z. Esik, Group axioms for iteration. Inform, and Comput., 148(1999), 131-180. 

16. W. Fokkink and H. Zantema, Basic process algebra with iteration: Completeness 
of its eqnational axioms. Computer Journal, 37(1994), 259-267. 

17. R.J.H. van Glabbeek, The linear time - branching time spectrum, Chapter 1 
in: Comparative Concurrency Semantics and Refinement of Actions, R.J.H. van 
Glabbeek, CWI TRACT 109, 1996. 

18. C.C. Gunter, Semantics of Programming Languages, MIT Press, 1992. 

19. P.C. Kanellakis and S.A. Smolka, CGS expressions, finite state processes and three 
problems of equivalence. Inform, and Comput., 86(1990), 43-68. 

20. D. Kozen, A completeness theorem for Kleene algebras and the algebra of regular 
events. Inform, and Comput., 110(1994), 366-390. 

21. D. Krob, Complete systems of B-rational identities, Theoret. Comput. Sci., 
89(1991), 207-343. 

22. R. Milner, A complete inference system for a class of regular behaviours, J. 
Comput. Syst. Sci., 28(1984), 439-466. 

23. R. Milner, Communication and Concurrency, Prentice-Hall, 1989. 

24. D.M.R. Park, Fixpoint induction and proofs of program properties, in: Machine 
Intelligence 5, D. Michie and B. Meltzer, Eds., Edinburgh Univ. Press, 1970, 59-78. 

25. D.M.R. Park, Concurrency and automata on infinite sequences, in: Proc. GI 
Conference, P. Deussen, Ed., LNCS 104, Springer-Verlag, 1981, 167-183. 

26. A. Salomaa, Two complete axiom systems for the algebra of regular events. J. 
Assoe. Comput. Mach., 13(1966), 158-169. 




Interactive Programs in Dependent Type Theory 



Peter Hancock^ and Anton Setzer^ 



^ Dept, of Computing Science, University of Edinbnrgh, James Clerk Maxwell 
Bnilding, King’s Buildings, Mayfield Road, Edinburgh EH9 3JZ, Scotland, 
fax: +44 131 667 7209, phone: +44 131 650 5129, pgh@dcs.ed.ac.uk. 

^ Dept, of Mathematics, Uppsala University, P.O. Box 480, SE-751 06 Uppsala, 
Sweden, fax: +46 18 4713201, phone: +46 18 4713284, setzer@math.uu.se. 



Abstract. We propose a representation of interactive systems in depen- 
dent type theory. This is meant as a basis for an execution environment 
for dependently typed programs, and for reasoning about their construc- 
tion. The inspiration is the T/O-monad’ of Haskell. The fundamental no- 
tion is an I/O-tree; its definition is parameterised over a general notion of 
dependently typed, command-response interactions called a world. I/O- 
trees represent strategies for one of the parties in a command/response 
interaction - the notion is not confined to functional programming. We 
present I/O-trees in two forms. The first form, which is simpler, is suit- 
able for Turing-complete functional programming languages with general 
recursion, but is non-normalising. The second is dehnable within (ordi- 
nary) normalising type theory and we identify programs written in it 
as ‘normalising 1/ 0-programs’. We define new looping constructs (while 
and repeat), and a new refinement construct (redirect), which permits 
the implementation of libraries. We introduce a bisimulation relation be- 
tween interactive programs, with respect to which we prove the monad 
laws and defining equations of while. Most definitions in this article make 
essential use of the expressive strength of dependent typing. 

Keywords. Functional programming, reactive programming, interac- 
tion, dependent types, monadic I/O, repetition constructs, refinement. 



1 I/O Concepts in Type Theory 

Programming languages based on dependent types. Some 20 years ago, Martin- 
Lof 0 suggested that his type theory, originally a framework for constructive 
mathematics, could be considered as a programming language, and his suggestion 
has been taken up and explored in a number of ways (see for example PJ). A 
question which seems to have received little attention is the form of the input- 
output interface of such programs. Indeed it is only in the last 10 years that this 
question has been satisfactory answered in the context of conventional functional 
programming, through the efforts of Moggi [S|, Wadler and others. 

Dependent types give us the ability to express with full precision any exten- 
sional property of a program, which can be defined mathematically. For example, 
we can express the requirement for a function which maps lists to sorted lists 
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using a dependent type Remarkably, with certain provisos of largely aca- 
demic interest, we can still check the type of a program mechanically, and type- 
correctness carries full assurance that it satisfies its specification. In the past few 
years, implementations of dependent type systems for functional programming 
have begun to appear p. So far however the implications of dependent types 
for specification of interfaces and programs have not been examined. 

Conventions, and plan of paper. In the following, we will work in a standard 
dependent type theory (for example [^) with the usual introduction and elim- 
ination rules, including intensional equality, extended by some other rules. We 
will refer to it simply as ‘type theory’. The notation we use, which is for the 
most part standard, is summarised in the appendix of the paper. Note that we 
sometimes omit indices and superscripts. 

The plan of the paper is as follows. In the remainder of this section, we explain 
why one needs a model of interaction in type theory, and recall the approach 
taken in the functional programming language Haskell, using a monadic type 
form whose values are I/O-programs. In the next section, we present our exten- 
sion of this notion, making use of type dependency. The third section introduces 
two repetition constructs (while and repeat), and a refinement or redirection 
construction. In the fourth, we point out that the repetition constructs can de- 
stroy normalisation, and develop an alternative formulation, which preserves it. 
Finally there is a concluding section, followed by a summary of our notation. 

The need for interactive programs in type theory. Traditional ‘batch’ pro- 
grams may be written in type theory as functions from input values (given in 
advance) to output values. The output from such a program is the result of ap- 
plying the function to its input. This batch model is adequate for a large class of 
programs, typically numerical search or optimisation programs. It is not however 
adequate for a program which runs, say, in the guidance system of an airplane. 

The programs one is ordinarily confronted with interact with their environ- 
ment while they are running. We give input via devices like keyboard or micro- 
phone and get output via devices like monitor or loudspeaker, and this input- 
output cycle is repeated again and again. Programs may also interact with the 
file system, the network or via physical sensors and actuators of some kind. So 
if we want to use type theory as a practical functional programming language, 
we have to consider how to use it to write interactive (or reactive) programs. 

Some approaches to interactive programs in type theory. In conventional func- 
tional programming, several approaches to interaction have been pursued. A 
good survey of some of these approaches is made in m-- dialogues (or lazy 
streams), continuations, and monadic I/O. Mention should also be made of the 
‘uniqueness types’ of the language Concurrent ClearQ. In this paper we follow 
the monadic approach, introduced by E. Moggi 0, upon which the input/output 
(I/O-) system of the language Haskelfl has been erected. A monad (the concept 
comes from category theory) is a triple (M, whose components, written in 

^ http://www.cs.kun.nl/~cleaii 
^ http://haskell.org 
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dependent type theory, have types 
M : Set ^ Set , 

{A,B :Set,p:MA,q: A^MB) ^MB , 
r] : (A : Set, a : A) — >■ M A , 

such that the following laws hold with respect to a given equivalence relation =. 
(Instead of ij A a we will write r]^)- 

Va *a,b q = qa , 

P *A,B Ax.77^ = p , 

{p *A,B q) *B,c r = p *a,b {Xx.qx *b,c r) . 

A special case of a monad is the I/O-monad. When referring to the I/O-monad, 
we write (10 A) instead of (M A). The interpretation of 10 is as follows. 

(a) For a given set A, (10 A) is the set of interactive programs that may or may 
not terminate, but terminate only with a result a of type A. 

(b) The program p * q first executes p. If p terminates with result a, then the 
program continues with (qa). The result of the whole program is the result 
of (qa). 

(c) The program rja simply terminates with result a, without any interaction. 

Additionally, one adds functions for specific interactions. For example, we can 
deal with programs that communicate by writing and reading strings (such as 
text lines): write : String — 101, read : 10 String. Here (writes) is the program 
that outputs s on some device and returns •, and read : 10 String is the program 
that reads a string and returns it. 

For the reader unfamiliar with type checking programs written using an I/O- 
monad, it is worth stressing that type checking interactive programs does not 
require itself any interaction, since we type check the programtext. 

For the I/O-monad, one sees that the laws mentioned above should hold with 
respect to an equality that identifies behaviourally equivalent programs. 

Interactive programs are written in Haskell by using a form of the I/O-monad 
that gives access to the usual facilities of an operating system, including files, 
graphics, and time, as well as control features like exception handling or multi- 
threading. 

The I/O-monad seems to be the most promising approach for the represen- 
tation of interactive programs within dependent type theory. To add it as a new 
concept would however involve adding besides new typing judgements also new 
judgement level equations for the monad laws. This is more than the relativisa- 
tion of type theory to a context of typed variables. The implications of this for 
the metamathematical properties of type theory are unclear to the authors. 

Since we have access to powerful data type constructions in type theory, an 
easier approach is to define the I/O-monad and derive the monad laws directly 
in type theory. We still need something beyond mere evaluation of expressions, 
namely the ability to actually run an I/O-program. However we can use elimi- 
nation rules for modifying I/O-programs and we shall make substantial use of 
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it in the following. Note that for efficiency reasons one might implement the 
execution of I/O programs in a different way, using for example a continuation 
monad with an ‘answer’ type of I/O programs. The paper ^ describes some of 
the options one has for implementing datatypes such as monads. 

2 I/O-Trees 



Worlds. Interactive programs are built from interactive commands. In dependent 
type theory we can define such sets of interactive commands in a very general 
way, parameterise over them and switch between command sets. 

Let C be a set of instructions or commands. These include commands to 
obtain input, commands to produce output, and commands with a mixed effect. 
For commands c : C let (Re) be a type of responses produced when command c 
has been performed. (C, R) will be called a world: 

General assumption and definition 2.1. A world w is a pair (C,R) such 
that C : Set and R : C ^ Set. In the following w is always a world (C, R). We 
will in most cases omit the parameter w. 

Examples for constructors of C might be 

(a) write : String — >■ C with i?(writes) = 1: writes is the command for writing s 
and returning • : 1 for success. 

(b) read : C, with (i?read = String): read a string and return it. 

Of course in practice the commands would be more complex. For example, there 
might be an embellishment of write where i?(write s) = {success, fail} and (write r) 
returns the information whether the output was performed successfully or not. 
We might as well have commands for interaction with file systems, network etc. 

I/O-trees. We want to define the I/O-monad as a data type constructed in 
type theory. It seems particularly suitable to define it as an inductive data type, 
because we can then carry out program transformations using the elimination 
rule associated with such types. A naive idea would be to take *, rj and the 
additional primitive instructions such as read and (write a) as constructors for 
this type. However we need to verify the monad laws, and it turns out that the 
naive approach would require us to define a rather complicated equality relation. 
The situation is analogous to the definition of the set of natural numbers. We 
could define it from 0, 1 and +, which correspond in the I/O-monad to 77 , the 
primitive instructions and *. It is however much better to take 0 and successor 
S as constructors, and to define I and addition. What corresponds now to S in 
the lO-monad? This should be the operation which takes an instruction and a 
family or ‘jump table’ of programs depending on the result of performing that 
instruction, and creates a new program that begins by issuing this instruction 
and then, when the instruction has been performed, continues with the program 
determined by its result. Instructions are given by C, where w = {C, R) is a, 
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world, and R provides the result type. So we have the following rules for lOui A: 

lOu, : Set — Set, where lOu, A has constructors 
leaf ! A — y lOuj A , 
do : {c : C,p : Rc ^ 10 A) ^ 10 A . 

The constructor (leaf a) is what was written rjAa before, and (do cp) denotes the 
program that first issues the command c, and depending on the result r : Rc 
returned by the environment continues with (p r) . Note that (10^, A) is now 
parameterised with respect to u>, a feature expressible only with dependent types. 

(lOu, A) is the set of well-founded I/O-trees with leaves in A and inner nodes 
labelled by some c : C and with branching degree {Rc) (ie. the subtrees of 
that node are indexed over {Rc)). (lOu, A) is a near variant of the “W-type” in 
standard type theory: The type expression Wx : A.B denotes the type of well- 
founded trees with nodes labelled by elements a : A and having then branching 
degree B[x := a], see 0 pages 109-114]and [3 pages 79-86] for details. In proof 
theory, the W-type turns out to be a very powerful construction: see HH 

Execution of I/O-programs. Up to now we have defined an inductive data 
type of I/O-programs within constructive type theory, but there is still no way 
to actually run such a program. Execution is an external operation rather than 
a constant within type theory. Just as an implementation of type theory will 
provide an external operation or facility to compute (and display) the (head-) 
normal form of a term, so we propose to provide a second operation that executes 
a term denoting an I/O-program. 

More precisely, this works as follows. Let wg = (Co,Ro) be a world corre- 
sponding to the real commands, so that to every c : Co there corresponds a real 
I/O-command having some value r : Rg c as result. If we have derived p : lOujo ^ 
then the external operation execute can be performed upon p. The operation 
execute does the following. It reduces p to canonical form, i.e. to a term of con- 
structor form. This form must be either (leaf a) or (docg). If it is (leaf a), then 
a : A and execution terminates, yielding as result a (which, when running the 
program from a command line will be displayed in a similar way as the result 
of the evaluation of an expression). If it is (do eg), then first the interactive 
command corresponding to c is performed obtaining a result r : Rc, after which 
execution continues with {qr). 

Roughly speaking a program p is evaluated to normal form, as it were ‘fetch- 
ing’ the next instruction. The instruction is ‘executed’, and the result used to 
select the next program to be evaluated. So through successive interactions we 
trace out a descending chain through the tree p. 

A first example. In the following example we assume commands readstr and 
(writestr s) for reading and writing strings and a Boolean valued equality =string 
on strings. The following program prompts for the root-password. If the user 
types in the right one ( “Wurzel’l^ the program terminates successfully, otherwise 

This really happened. 
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it responds with “Login incorrect” and fails. We use some syntactic sugar. 

C = { readstr } U { writestr s | s : String } : Set , 
i? : C^Set , 
i? readstr = String , 

R (writestr s) = 1 , 

Wurzel = do writestr “Password (root):” 

Xa. do readstr 

As. if s =string “Wurzel” 
then leaf success 

else do (writestr “Login incorrect”) 

Aa. leaf fail 

: 10 { success, fail } . 

rj, *. It is now easy to define 77 and * and verify the monad laws for well-founded 
trees with extensional equality (by 0 ] this is not the most efficient solution): 

vt = leaf a , 
leaf a *a,b <1 — Qct , 
docp *a,b <1 — <ioc{Xx.px *a,b q) ■ 

3 Constructions for Defining I/O-Trees 

It should be possible to define interactive programs with infinitely many inter- 
actions. For instance, if we execute an editor and never terminate the program, 
the execution should go on forever. So we need constructions for defining such 
programs. This will however destroy normalisation. We will see in Sect.^how to 
modify the concept in order to obtain a normalising type theory. The definitions 
of all constructions in this section are possible only in the presence of dependent 
types, which demonstrate their expressive power. 

repeat. Assume A, B : Set, b : B, p : B ^ 10^, {B + A). We want to define a 
program repeat^ B bp : 10^; A, which, when executed, operates as follows. First, 
program (pb) is executed. If it has result (ini 5'), then the program continues 
with (repeat^ Bb' p). If it has result (inra), the program terminates and returns 
a. 

However, ii pb — leaf a for some b : B, we might get an expression that does 
not evaluate to constructor form, e.g. (repeat^ 6 Ax.leaf (ini 6 )). So we have to 
restrict p, and the easiest way is to replace (10^, {B + A)) by (I0)() {B + A)). 
Here for D : Set let I0)() D = Sc : C.Rc — >■ lO^j D be the set of I/O-programs 
with results in D, with at least one interaction (command c). Let do^'^cp = 
(c,p) : I0)() D and, if p : I0)() D, let p~ : 10^, D be defined by (do^ cp)~ = do cp. 

The definition (which uses general recursion and so allows us to define non- 
well-founded trees and form non-normalising terms) of repeat is as follows: 

repeat,,, : (A, B : Set, b ■. B,p ■. B ^ I0)() {B + A)) — 10^; B , 
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repeat^ bp = (pb) *w,B+A,Aq, 

where g (ini 6') = repeat„_^ i? , 
q (inr a) = leaf a . 

Example. As an example we define a rudimentary editor. The only command 
is readChar, which has as result either a character c typed in, cursorLeft for the 
cursor-left-button or done for some key associated with termination. The pro- 
gram reads the text created using these keys and returns the result, ((truncate s) 
will be the result of deleting the last character from string s, (append sc) an 
operation which appends character c to the end of string s, and the empty 
string.) 



C = {readChar} : Set , 
i? : C^Set , 

Rc= jch c I c : Char} U (cursorLeft, done} . 
editor = repeat^^ ^^ 5 j,.ing String As.do^ readChar g , 

where g (ch c) = leaf (ini (append s c)) , 

g cursorLeft = leaf (ini (truncate s)) , 
g done = leaf (inr s) . 

While loop. While loops are defined similarly to repeat loops. 

whileti, : (A, B : Set, b : B,p : B -A (10)} B + 10^, A)) — >• 10^, A . 

The definition proceeds by cases on the value of (p b) . If it is of the form (ini q ) , 
then q is executed, and, once it terminates with result b' , the program continues 
with (whilCiu^yi B b' p). If it is (inrg), q is executed and its result returned as final 
result. The definition, which uses again general recursion, is 

whiles,, ^ = f (pb) , 

where f (inlq) = q~ *w,b,a Xb' .whWew^A B b' p , 
f (inr q) = q . 

It is now an easy exercise to express while by repeat and vice versa. 

Redirect. * can be regarded as “horizontal composition” of programs. There 
is also a “vertical composition”: Assume worlds w = (C,R) and w' = {C',R'), 
A : Set and p : lOuj A. We want to refine p to a program in world w' , by replacing 
every command c : (7 by a program (qc) in world w' with a result r : Rc. So 
q has type (c : C) — >■ I0„,' (i?c). However, if we allow (qc) to be a leaf and p 
has infinitely many commands, this will allow us to construct an expression that 
cannot be evaluated to constructor form. To avoid this, we replace the type of q 
by (c : C) — >■ 10)}, (i?c). The construction that results is 

redirectu,^^,/ : (A : Set,p : 10^, A, g : (c : C) — >■ 10)}, (i?c)) — >■ I0„/ A , 
where redirectu,,iu',yi (leaf a) g = leaf o , 
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redirect, lu', A (do cp) g = (gc) Ar.redirecU.u,'.A (p?") g • 

Using redirect for building libraries. We can now define a world in which high 
level 1/ 0-commands are first class objects - they do not evaluate directly into 
low level commands - together with an interpretation of each command as a 
program in the basic language used by execute, and so construct libraries. To 
implement execute one can therefore restrict oneself to a basic world with simple 
commands. 

Example. Let the high level world be wo = (Co,i?o), with Cq = {read} U 
{writes | s : String}. Here read is a command for reading a string, i?o read = 
String, and (writes) an instruction for writing a string, i?o (writes) = 1. Let 
the low level world Wi have commands for reading a key, writing a symbol, and 
movements of the cursor left and right. Let g : (c : Cq) — t {Rqc), where 

(gread) is an editor that uses the keys to manipulate a string and has as result 
that string, and (g (writes)) is an output routine for strings. Then (redirectpg) 
translates a program using high level commands into one that uses the basic 
ones. 

Equality. With while— and repeat— loops we introduce non-well-founded I/O- 
trees. Even with extensional equality it seems that it is no longer possible to prove 
the monad laws. (We do not yet have a proof of this.) So extensional equality 
seems to be too weak for dealing with non-well-founded programs. Instead we use 
bisimulation as equality. In I. Lindstrom has given a very elegant definition 
of such an equality. The definition is based on an idea that occurs in work on 
non-wellfounded sets by Lars Hallnas |5] . Transferred to our setting, the equality 
is defined as Vn.p a ndi where p An ^ expresses that p and g coincide up 
to height n. In the following the world w will be a parameter in all definitions, 
and will be omitted for clarity. We will use equality-types =c and =a on C and 
A. (We will in a follow-up to this article consider a generalisation where instead 
of assuming =c we establish C with a setoid structure; in this case we need a 
reindexing map, which replaces JqR below. Additional reindexing maps will be 
needed to establish the properties of the equality which we define.) 

~ : (A : Set,p, g : 10 A) — >■ Set , 

: (A : Set, n : N,p, g : 10 A) — >■ Set , 

(p ~A g) = Vn : N.p ~( 4 g, 

{P -A,o <?) = T , 

(leafa do cp) = (do cp leaf a) =T , 

(leaf a leaf o') = (o =a o') , 

(do cp do c'p') =3x : {c =c d)S/r : Rc.pr „ p' {ic Rcc' xr) . 



Definition 3.1. (a) Let case- distinction for 10 be the rule (under the assump- 
tions that A : Set, i? : (p : 10 A) — >■ Set}.' 

: {{a : A) ^ B (leaf a), {c : C, q : Rc ^ 10 A) ^ B (do c g) , 
p : 10 A) — H p . 
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(h) Lei TT(IO) be (intensional) Martin-Lof type theory extended by the defining 
rules for 10 and case-distinction for 10 . 

Lemma 3.2. TT(IO) proves the following (under the assumptions that A,B : 
Set and all other variables are of appropriate type) 

(a) is reflexive, symmetric and transitive. 

(b) p p' (Va : A.q q' a) ^ p *a.b q p' *a,b q' ■ 

Proof. |(a)| First we prove the lemma with replaced by by induction 

on n : N, using the elimination rules for equality. Then the assertion follows by 
the definition of ~. |(b)| Show that p ^(4 ^ p' and Va : A.q a m ^ imply 
do pq P' mduction on n. □ 



Theorem 3.3. TT(IO) proves the monad laws with respect to ~a- 

Proof. The first law holds deflnitionally and by reflexivity therefore with respect 
to The second and third laws are proved first with replaced by ^(4 „ by 
induction on n. Then the assertion follows from the definition of □ 

I/O-trees as a general concept for command /response-inter action. It seems 
that the applications of I/O-trees, which are in general non-well-founded trees, 
are not limited only to functional programming languages. I/O-trees cover in a 
general way command/response-interaction with one agent (a program) having 
control over the commands. Every I/O-behaviour corresponds, up to the equal- 
ity we have introduced above, to exactly one I/O-tree. Therefore I/O-trees are 
suitable models for this kind of interaction. 

4 Normalising Version 

Counterexample to normalisation. If we take standard reduction rules corre- 
sponding to the equalities given above (by directing the equations in an obvi- 
ous way), the above definitions give non-normalising programs. Let for instance 
4 = i? = C = N, (i?c) be arbitrary, w = (C,R), / : N — >■ N. We omit the 
parameter w. 

p := An.do^ (/n) Ax.leaf (ini (n -I- 1)) : N — >■ 10'*' (4 -I- B) , 
repeat Op — do (/ 0) Acc. repeat (S 0) p 

— do (/O) Act. do (/ (S 0)) Ay. repeat (S (S 0))p 
— do (/O) Act. do (/ (S 0)) Ay. do (/ (S (S 0))) A 2 . repeat (S (S (S 0)))p 



We see that definitional equality is now undecidable, since we cannot decide 
whether two functions N — >■ N are extensionally equal. This implies the un- 
decidability of type checking, since with an type checking algorithm we can 
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decide definitional equality (for a,b : A, the term \B,f.fa is of type {B : 
{x : A) ^ Set, f : {x : A) ^ B x) ^ Bb ii and only if a = b: A). 

One solution would be to extend dependent type theory by coinductive types 
with rules chosen such that normalisation is preserved. This requires extensive 
meta-theoretical investigations that have not yet been completely carried out. 
Instead we represent non-well-founded trees in normalising standard type theory. 

How to regain normalisation. In type theory with inductive types and stan- 
dard elimination rules for them, while and repeat cannot be defined. We can 
however add one of them as a constructor to (10^, A). We choose while, for 
which the definition of * and the proofs of equalities turn out to be easier. We 
can then define repeat by using while. We modify execute, so that it operates on 
(while uap) in the same way as it operated on the non-well-founded trees de- 
fined using the function while in the previous version. One problem is however 
that while (the same is the case with repeat) defines an element of (10^ A) by 
referring to (10^, B) for an arbitrary set B. To demand that (10^, A) is a set 
means to define a set by referring negatively to all sets, which is problematic. 
(The typing rules require that if A is a set, (10^. A) is a type). 

To fix this, we will restrict the sets referred to in while to elements of a 
universe. A universe is a set-indexed collection of sets, ie. a pair (U,T) s.t. 
U : Set and T : U ^ Set. The elements of U represent “small sets”. With such 
a restriction (10^, A) no longer refers to the collection of all sets, and can now 
be typed as a set. We will however extend C/ to a slightly bigger universe with 
representatives for 1 -|- i?c, and this extension will be called set, since it is in the 
definition of (10^, A) the “collection of small sets” . 

General assumption and definition 4.1. (a) Let w = (C,R) be a world. 

(b) Let U : Set, T : U — >■ Set be some fixed collection of sets (i.e. a universe). 

(c) Let set := U -I- C, el : set — >■ Set, el (ini u) = T u, el(inrc) = 1 -I- i?c, R 
according to the world w. We write (1 -l-Rc) for (inrc). 

For simplicity, in the following we will omit the parameters w, U, and T. 

We can now omit the constructor do (which can be simulated by while) and 
obtain the following definition of 10 A: 



10 
leaf 
while 
and 10''^ 
10+ A 



Set — Set , where (10 A) has constructors 
A ^10 A , 

{u : set, a : elw, n : elu — >■ (10+ (elu) + 10 A)) — >■ 10 A , 
Set — >■ Set , 

Sc: C.Rc^lOA . 



Monad operations. In the monad operations sets have to be replaced by 
elements of the universe: 

?7+ := leaf a , 
leaf a *a,b <? = < 7 o , 
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while M ap <? = whilewa , 

where 0 : (A,i? : Set,M : set,p : eltt — >■ (10^ (elu) + 10 A), 
q : A ^ 10 B) ^ elu ^ (10^ (el u) + 10 B) , 
if = inlp', then (p®a,b,uQ) ^ = inlp^ , 
if p & = inrp', then {p®a,b,u<i) ^ = inr (p' *a,b q) ■ 

Do. Now we define the operation (do^ cp). (Note that do is not a constructor): 

doyi cp = while (1 + R c) (ini •) q , 
where q (ini •) = ini (c, Ar.leaf (inr r)) , 
q (inrr) = inr (pr) . 

Split. In the non-normalising theory, each element of (10 7l) according to 
the new definition can be interpreted as a non-well-founded tree; we replace all 
occurrences of the constructor while with the function while defined before. In 
normalising type theory this is not possible. Instead we can obtain the structure 
of the represented non- well-founded trees by defining a function splits, which 
determines for every p \ 10 A whether its interpretation as a non-well-founded 
tree is that of a leaf labelled hy a : A (splits p = inr a) or whether it is an inner 
node labelled by c : C, which has for r : Rc subtree qr (splits p = ini (c, q)): 

split : (A : Set,p : 10 A) — >• (lO"*" A -I- A) , 
splits (leaf a) = inr a , 

If pa = inrg, then splits (while w ap) = splits g , 

If pa = ini (c, g), then 

splits (while wap) = ini (c, Ar.gr *ei(„), A while weep) . 

Execution of I /0-programs. Assume a fixed world wq = (Cq, R/) correspond- 
ing to real commands, as before, execute, adapted to the new setting, operates as 
follows: Applied to a program p : IOcq.Ko ^ evaluates splits p. If the result is 
(inr a), then execute stops with result a. If splits p = ini (c, g), then c is executed, 
and depending on the result r, execute continues with {qr). 

Normalising 1/ 0-programs. With only inductive data types with their elimi- 
nation rules, type theory is normalising. Therefore splits g reduces to a value of 
the form (inr a) or (ini (c, g)). So when a program is executed, and it is its ‘turn 
to go’ (ie. at the beginning and after obtaining a response to a command), after 
a finite time, either it terminates, or it issues another command. (Whether a re- 
sponse to a command c is obtained after a finite time depends firstly on whether 
a response is even possible - the response set R c may be empty - and secondly 
on what happens in the real world ~ the user may walk away from the keyboard 
and never return.) However, it may still be that infinitely many commands are 
executed. As trees, I/O-programs are not necessarily well-founded. We call an 
I/O-program normalising if both initially and after the result of a command is 
obtained, it either terminates, or issues the next command after a finite amount 
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of time. The set (10 A) (together with execute) represents a class of normalising 
I/O-programs. 

Equality. Under the same assumptions as in Sect. 0 we can define now an 
equality on elements of 10 A. However, we use split in order to get access to the 
corresponding tree-structure: 



~ : (A : Set, p,q : 10 A) — >■ Set , 

: (A : Set, n : N,p, q : 10 A) — >■ Set , 

{p -A q) =yn: N.p „ q , 

P -A,o 9 = T , 

P —A,n+1 9 = (splits „ splits 9 ) , where 

: (A : Set, n :N,p,q :10+ A + A) ^ Set , 

(inra „ inl(c,p)) = (inl(c,p) inra) =_L , 

(inra —A^n inra') = (a =a a') , 

(inl(c,g) „ inl(c',g')) = Bp : (c =c c').Vr : Rc.qrc^A^.^ q'(JCEcc'pr) . 

Note that identifies programs which behave identically in the first n steps, 
and therefore identifies exactly behaviourally equal programs. Note however 
that we identify only those commands c : C which are equal with respect to =c- 
Proof of the monad laws, defining equalities for while and other standard 
properties with respect to bisimulation. The following can be proved inside type 
theory. (Some indices or superscripts have been left implicit). 

Lemma 4.2. (a) r]a*P —A P a- 

(b) and ^(4 ^ are reflexive, symmetric and transitive. 

(c) If pa =io(ei^)-i-iOyi inrg, then whileuap Q- 

Proof, (a) is trivial, (b) follows with replaced by ^(4 ^ by induction on n - in 
case of symmetry and transitivity one uses additionally the elimination rules for 
=c. From this the assertion follows, (c) split (while uap) = 10 + a+a split g. □ 

For stating and proving the next lemmata we introduce an equality on the type 
of p in (whilewap), i.e. (elu) — (lO"*" (elw) + A): 

Definition 4.3. 



: (A : Set, u : set, 

p, q : (elu) ^ (10^ (el u) -I- 10 A) ) -a Set , 
p q = tJx : elu.px — qx , where 
~w>aux . : Set, It : set,p, g : 10'*’ (elu) -f 10 A) 

— ^ Set , 

(™1 q -a]u ™r q) = (mr q ml g) = T , 

(inr g ™r g) = (g g') , 

(ini (c, g) ^a',7^ ™1 (c', g')) = 3p:{c =c c').Vr : Rc. 

gr- ~eiu g' (JC'i?cc'pr) . 
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Similarly we define , ~w,aux/ additional argument n : N and refer to 

-A,n> -elu,n instead of ~ A, -An- 

Lemma 4.4. (a) (po -A Pi A Vo : A.q^ a a) -)> (po * <?o -s Pi * <?i)- 

(b) po — ^ u Pi whilewapo —a whileuapi. 

(c) For p :10 A, q : A ^ 10 B, r : B ^ 10 D it follows 
{p * q) * r P * Xx.{{qx) * r). 

Proof. We prove (a) - (c), with Xx. ~a;, Xx. replaced by Xx. 

Ax. — simultaneously by induction on n. The case n = 0 is trivial, so we 
assume the assertion has been proved for n and prove it for n + 1 : 

(a) Side-induction on po, side-side-induction on pi: 

If Po = leaf oq and pi = leaf oi, then oq =a Oi and qg oq — ^ gi Oi. 

If Po = while uapo with poa = inrpo, then po Po, and by 
Po * 9o = while u a (po©9o), (Po©9o) a = inr (po * go) it follows 
Po * go — B Po * go, and the assertion follows by side-IH for po instead of po- 
Similarly the assertion follows if pi is of a similar form. 

Otherwise pi = while o^pi, with pi = ini (ci,pi), 
split Pi = ini (cj, Xr.pi r * Ax. while Ui xpf). 

By Pt ^A,n+i Pi there exists Pcqci : (co =c ci), and for 
ro : Rco, ri := 3 C Rcq ciPcga fo there exist proofs of 
Po ro * Ax. while uo xpo —a n Pi^i * Ax.whilewi xpi. 
split {pi * qi) = ini (ci, Xr.pi r * Ax.whileui x (pi®qi)) 

= ini (ci, Xr.pi r * Ax. while iti xpi * qf). 

We have to show that for cq, xi as above 

Po ro * Ax. while uq xpo * go —n Pi ri * Ax. while ui xpi * gi. 

By IH (c) and symmetry % Xi*Ax. while Ui xpi*qi „ (pi ri*Ax. while Ui xpi)*qi, 
and by IH (a) (poro * Ax. while uo xpo) * go —Bn (Pi ri * Ax. while ui xpi) * gi. 
The assertion follows now by transitivity and symmetry. 

(b) If PiQi = inrgj, then while woip^ = g^, go ^'a,u+i 91- 

Otherwise Pi Gi = ini (ci, qf), split (while uaipfi — ini {ci, Xr.qi r * Ax.while uxpi). 
By assumption there exists Pco.ci as in (a) and for ro and ri as in (a) proofs of 
go ro — eii; gi ri, and furthermore by IH (b) proofs of whilewxpo —a „ 
while Mxpi for x : el(w). The assertion follows by IH (a). 

(c) is proved by side-induction on p. If p = leaf a this follows by reflexivity. 
Otherwise p = while uap, (p * g) * r = while u o ((p©g)©r), p * Ax.gx * r = 
whilewa (p©Ax.gx©r), by side-IH (p©g)©r ~’")5 „_,_iP©Ax.gx©r, 

and by (b) for n -|- 1, as just proved, the assertion follows. □ 

Lemma 4.5. (a) p * Xx.px —A P- 

(b) split (do cp) =io+ A+A ial (c,p') for some p' s.t. Vr : Rc.pr p' r. 

(c) If p a =io+ (el ,i)+io A ini (c, g) then 
whilertap doc Ar.gr * Ax.whileuxp. 

Proof, (a) follows by straightforward induction on p and I,emma, i4.4l (b). 

(b) split (do cp) = (c, Ar.(leaf (inrr)) * Ax. while (1 -f Rc) xg) 
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= (c, Ar.while (1 + Rc) (inrr) q), 

where q is as in the definition of (docp). For r : Rc we have by Lemma ^21 (c) 
while (1 + Rc) (inrr) q pr. 

(c) follows by (b) and split (while u op) = ini (c, Ar.g(r) * Ax.whilerta;p). 

□ 



5 Conclusion 

We have identified a need for a general and workable way of representing and 
reasoning about interactive programs in dependent type theory. We introduced 
in dependent type theory the notion of an I/O-tree, parameterised over a world, 
making essential use of type dependency. We gave it in two forms. The first 
breaks normalisation, but is conceptually simpler and suitable if one is tol- 
erant of a programming language with ‘bottom’, or divergent programs. The 
second preserves normalisation. We called programs of this kind “normalising 
I/O-programs” . We introduced an equality relation identifying behaviourally in- 
distinguishable programs and showed that the monad laws hold, modulo this 
equality. (For the normalising version these are Lemma (a), 14.51 fal and 14.41 
(c)). We introduced while- loops in both versions and repeat-loops and redirect 
in the first version (and leave it as an interesting exercise to extend the last two 
constructions to the normalising version). In the non-normalising version the 
characteristic equations for while and repeat are fulfilled by definition, whereas 
in the normalising version we have shown them for while (Lemma^2l(c) a,nd 14.51 
(c)). We have characterised do as well in the latter version i'T;emma l4.5l IblL 
In a future paper we will show how to move from one universe to another 
in the normalising version and explore what happens if C is a setoid with a 
specific equivalence relation. In addition we will introduce state-dependent I/O- 
programs, in which the set of commands available depends on the current state 
of knowledge about the world. 

Appendix: Notations 

In the paper we do not distinguish between E and 7T-type on the logical frame- 
work level and as set-constructions. The empty set is denoted by 0 , the set 
containing one element by 1 (with element •). The set of natural numbers is 
denoted by N. The injections for the disjoint union A + B of sets A and B are 
written ini : A — ?> {A + B), inr : B {A + B). The elements of Ex : A.B are de- 
noted by (a, 6). The dependent function type (sometimes written as IIx : A.B) 
is denoted by (a; : A) — >■ B, with abbreviations like {x : A, y : B) ^ C for 
{x : A) ^ (y : B) ^ C, {x : A, B) ^ C for {x : A, y : B) ^ C with y new, and 
{x,y : A) ^ B for {x : A, y : A) ^ B. We use juxtaposition {fa) for applica- 
tion, having a higher precedence than all other operators do, so that for example 
fa = gb means {fa) = {gb). The scope of variable-binding operators Aa;., Vx., 
3x., Ex. is maximal (so Ax./ a =a 6 stands for Ax. ((/a) =a b)). Some functions 
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are represented as infix operators, writing some of the first few arguments as 
indices. (For instance we write p *a,b Q for ABpq).) Arguments that are writ- 
ten as indices are often omitted. We will omit the type in equality judgements, 
writing r = s instead of r = s : A. An equation sign = without indices denotes 
definitional equality, whereas we write r =a s (never omitting the A) for equal- 
ity types (which are actually sets). The intensional equality has introduction 
rule ref : (A : Set, a : A) ^ a =a ci expressing refiexivity, and elimination rule 
J : (A : Set,i? : A — >• Set, a, a' '■ A, p : (a =a a'),Ba) — >■ Ba', which corresponds 
to the second equality axiom: from a =a ci' and B a we can conclude B a' . The 
equality rule is JaB aaref^ b = b. Note that with extensional equality J could 
be defined trivially as AA, B, a, a' ,p, b. b. 
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Abstract. In recent years, there has been a lot of interest in analyzing 
the space requirements for modal logics. In this paper, we prove that 
modal satisfiability is in deterministic linear space. This improves the 
best previously-known 0(n log n) bound and it is the first linear space 
result in this area. 



1 Introduction 

In 1977, Ladner 0 showed that the modal satisfiability problems for K, T, 
and S4 are PSPACE-complete. His decision procedures for K, T, and S4 use 
deterministic space O(n^), O(n^), and 0(n^) respectively. Since the goal of his 
paper was to prove PSPACE-completeness, it is not surprising that these upper 
bounds are not optimal. 

Hudelmaier proved that K and T satisfiability can be decided in determin- 
istic space O(nlogn) and that S4 satisfiability can be decided in deterministic 
space O(n^logn). A deterministic 0{n^ log n) space upper bound for K4 was 
proven by Vigano m- The 0{n^ log n) bounds for K4 and S4 satisfiability were 
recently improved to 0(n log n) deterministic space upper bounds by Nguyen jZ|. 
See also Basin et al. m for uniform methods to obtain space upper bounds for 
non-classical logics. The first question that this paper addresses is whether these 
ubiquitous 0(n log n) bounds are optimal. 

It is interesting to note that all these papers use proof-theoretic methods 
rather than semantic methods. This is unusual, since semantic methods are much 
more common in proving complexity results for logics. The second question that 
this paper addresses is whether semantic methods are unsuitable for proving 
precise space bounds. 

In this paper, we provide a negative answer to both these questions. We 
will show that modal satisfiability (i.e., K satisfiability) is in deterministic linear 
space, using purely semantic arguments. 

The paper is organized as follows. In the next section, we give some basic 
background and terminology about modal logic and about space complexity. In 
Section 0 we give a quadratic space algorithm for modal satisfiability. This algo- 
rithm will be the starting point for the non-deterministic linear space algorithm 
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from Section 0 which in Section 0 will be converted into a deterministic linear 
space algorithm. 

2 Preliminaries 

2.1 Modal Logic 

We will briefly review syntax, Kripke semantics, and some basic terminology for 
modal logic. 

Syntax 

The set of (modal) formulas is inductively defined as follows. 

— p is a formula for every propositional variable p, 

— if 0 and ip are formulas, then so are (p A ip and ->(p, and 

— if (/) is a formula, then H(p is a formula. 

The modal depth of a formula (p (denoted by md((p)) is the depth of nesting 
of the modal operator □. Formally, 

— md{p) = 0 for every propositional variable p 

— md{->(p) = md{(p) 

— md{(p Alp) = max{md((p) , md{ip)) 

— md{U(p) = md{(p) + 1 



Semantics 

A (Kripke) model is of the form M = <W,R,tt> such that W is a, non-empty set 
of possible worlds, i? is a binary relation on W called the accessibility relation, 
and 7T is a valuation, i.e., a function from the set of propositional variables to 
Pow(W). 7t(p) is the set of worlds in which p is true. For a formula (p, we will write 
M,w ^ (p for (p is true /satisfied at w in M. The truth relation |= is inductively 
defined on the structure of (p in the following way. 

— M, w \= p iS w € 7t(p) for p a propositional variable. 

— M, w \= —'(p iff not M, w \= (p. 

— M,w\=(pAipiSM,w\=(p and M,w \= ip. 

— M,w \= D(p iS Vic' G W[wRw' ^ M,w' \= (p]. 

A modal formula <p is satisflable (K satisflable) if and only if there exists a 
model M = <W,R,tt> and a world w £ W such that M,w \= (p. It is easy to 
see that a formula (p is satisflable if and only if it is satisflable in the root of a 
tree. 

Since we want to restrict the amount of space needed, we will, during the 
construction of the model, only look at formulas that are relevant in each con- 
structed world. Of course, the only formulas that are relevant form a subset of 
the set of subformulas of (p, usually denoted by Cl{(p). But we need to be more 
precise than that. In order to do so, we introduce the following definition. 
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Definition 1. Define Cl{<f>, d) where 4> is modal formula and depth d > 0 as 
follows: 

1. (f e Cl{(t),0) 

2. If^'ijj e Cl{cj),d), then if £ Cl{(j),d) 

3. If Ip € Cl{4>, d), then ip £ Cl{(p, d) and ^ £ Cl{(p, d) 

4- If Dtp £ Cl{(p,d), then tp £ Cl{(p,d+ 1) 

As mentioned before, (p is satisfiable if and only if <p is satisfiable in the root 
of a tree. If a model M is a tree, and the root of the tree satisfies cp, then for every 
world w at depth d, the only formulas that are relevant are those in Cl{(p,d). 

2.2 Space Complexity 

In this subsection, we review some well-known relationships between time and 
space classes. 

1. P C NP C PSPACE = NPSPACE C EXPTIME. 

The equality PSPACE = NPSPACE follows from Savitch’s theorem jSj. It 
is known that P is a strict subset of EXPTIME, but it is not known which 
of the inclusions are strict. 

2. For linear time/space, the inclusions are as follows: 

DTIME (0(n)) C NTIME (0(n)) C DSPACE(0(n)) C NSPACE(0(n)) C 
DTIME(2<^(”)). 

DTIME (0(n)) C NTIME (0(n)) is due to Paul, Pippinger, Szemeredy, and 
Trotter 0. The strictness of the other inclusions is unknown. In addition, 
Savitch’s theorem gives NSPACE (0(n)) C DSPACE (O(n^'j'). 

3. Stearns, Hartmanis, and Lewis uni proved the following hierarchy the- 
orem for deterministic space: If S' 2 (n) is a space-constructible function, 
S'i(n) < S 2 (n) for all n, and inf„_,.oo = 0, then DSPACE(5'i(n)) C 
DSPACE(S' 2 (n)) |in|. 

PSPACE features prominently in the complexity of modal satisfiability prob- 
lems. For example, the satisfiability problems for K, T, K4, and S4 are all 
PSPACE-complete jS| and so are their multi-modal analogues and multi-modal 

S5 0. 

3 Satisfiability in Quadratic Space 

In this section, we will give a quadratic space algorithm for modal satisfiability. 
This algorithm forms the basis for the linear space algorithm that will be given in 
the next section. In addition, it introduces some notation, tools, and observations 
that will be built upon in the next sections. 

It is easy to show with induction on depth d, that for all D C Cl{(p, d), F is a 
maximal satisfiable subset of Cl{(p, d) if and only if MaxSat{F, d) is true, where 
MaxSat{r, d) is recursively defined as follows. MaxSat{F, d) is true if and only if 
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1. {tp ^ r -iijj £ r) for all -i'0 in Cl{4>, d), 

2. {'tpA^GriS'tpGr and £, G F) for all '0 A ^ £ Cl{(j), d), and 

3. for all □^/> in Cl{(f>, d) \ F, there exists a set C Cl{(f), d + 1) such that 

(a) Ip ^ F^^, 

(b) for all G F, ^ G T-,^, 

(c) MaxSat{F^jp ,d + 1) ■ 

This definition is the starting point for our space efficient algorithms for 
modal satisfiability, since (p is satisfiable if and only if there exists a set of for- 
mulas F C Cl{(p,0) such that (p G F and MaxSat{F,0). 

This definition is close to Ladner’s tableau construction 0. The main dif- 
ferences are that we have replaced the tableau rules for the propositional part 
by one nondeterministic step, and that we are explicit about the set of formulas 
relevant at each recursive depth. The definition is even closer to Vardi’s construc- 
tion El. The main difference is that we are explicit about the set of formulas 
relevant at each recursive depth. 

Of course, the recursive definition of MaxSat given above is not quite an 
algorithm, but that is easy to fix. Here is a nondeterministic algorithmic version 
of MaxSat, closely related to Vardi’s alternating polynomial time algorithm HU- 
(Alternating polynomial time = PSPACE |3|.) The conversion from definition to 
algorithm is straightforward, and it will make the transition to the linear space 
algorithm easier. 

For all F C Cl{(p, d), the algorithm will accept MaxSat{F, d) if and only if F 
is a maximal satisfiable subset of Cl{(p, d). 

MaxSat{F, d): 

For every cp' G Cl{(p, d), 

1. if (()' = ->ip and not [ip ^ F -iip G T], then reject 

2. if (p' = Ip A ^ and not [ipA^GFiffipGF and ^ £ T], then reject 

3. if (p' — Oip and cp' ^ F, then guess a set F^,p C Cl{(p, d -I- 1) such that 

(a) Ip ^ F^,p, 

(b) for all G F, ^ G F^,p, and 

(c) MaxSat{F^jp,d+ f) accepts. 

Accept (that is, if the algorithm got though the loop without rejecting, then 
accept). 

We will now briefly and informally analyze the space required for this algo- 
rithm. A more formal analysis of the linear space algorithms will be given in the 
next sections. 

To analyze the space required by the algorithm, first note that the maximum 
number of nested recursive calls is md{(p) + 1, since Cl{(p, md{(p) -I- 1) = 0. The 
amount of space required for each call to MaxSat without the recursive calls is 
dominated by the space required to store It is well-known that every subset 
of subformulas of <p can be represented as a bitstring of length \(p\, since every 
position in (p corresponds to at most one subformula of (p, and every subformula 
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of (f) corresponds to at least one position in (f>- (We leave the exact details of the 
representation and implementation for the next section.) 

These observations lead to a quadratic nondeterministic space upper bound. 
In general, this would give a quartic deterministic space upper bound via Sav- 
itch’s theorem |^. However, in this algorithm, the nondeterminism is used in a 
rather restricted way. The only nondeterminism in the algorithm is in step 3: 
“guess a set C Cl{4>, d + 1) such that ...” 

We can remove this nondeterminism without increase in space in the following 
way. Replace step 3 by 

3. if 4>' = Dip and cp' ^ F, then cycle through all sets C Cl{(p,d + 1). For 

each of these subsets, check if 

(a) Ip ^ F^^, 

(b) for all D^ G F, ^ G T-,^, and 

(c) MaxSat{F^jp,d+ 1) accepts. 

If we find that one of the sets T’-.y, C Cl{(p, d + I) satisfies these three re- 
quirements, then proceed with the algorithm. Otherwise, reject. 

We will leave the details about how to deterministically cycle though all 
subsets of Cl{(p,d+1) to Section 0 

4 Satisfiability in Nondeterministic Linear Space 

The quadratic deterministic space bound from the previous section ties Ladner’s 
bound, which is not surprising, since our algorithm is close to Ladner’s. How 
can we do better? In the analysis, we looked at the space used for each nested 
recursive call separately. In order to improve the space efficiency, we will have 
to combine the space used at the different recursion depths. Since recursion in 
combination with global variables is hard to follow, we will give an iterative 
version for satisfiability that is based on MaxSat and work from there. 

One problem is to simulate the multiple recursive calls MaxSat{F^^,d + 1) 
without using too much space. For example, if we keep track of the number 
of recursive calls made at each depth, we need space nlogn, and this is too 
much. Our solution is the following. For each depth d, assume an ordering on 
the formulas in Cl{(p,d). It then suffices to keep track of the formula currently 
being processed. We will call this formula curForm(d). One might think that we 
will then need logn bits at each depth d to keep track of cur Formed), in which 
case we would have gained nothing. But we will show in the sequel that all these 
formulas together can be combined into one length n bitstring. 

The remainder of the simulation is fairly straightforward. Depth d corre- 
sponds to d in MaxSat and F{d) corresponds to F at depth d in MaxSat. We 
will use newWorld to denote that a new world is being built, i.e., all formulas in 
Cl{(p, d) still have to be processed. 

Here is the non-recursive and nondeterministic algorithm to determine if (p 
is satisfiable. 



Modal Satisfiability Is in Deterministic Linear Space 



337 



d := 0; new World := true 

guess r(0) C Cl{(j),0) such that (j) € r(0) 

while d > 0 do 

if not newWorld and curForm(d) is the last formula in Cl{4>,d) then 
d:= d—1 

else 

if newWorld then 

curForm{d) := the first formula in Cl{4>, d) 
newWorld := false 
else 

curForm{d) := the next formula in Cl{4>, d) 
if curForm{d) = and not [fi ^ F{d) iff -if/' G r{d)] then reject 
if curForm(d) = if /\^ and 

not [if A f £ F{d) iff G F{d) and ^ G F{d)] then reject 
if curForm(d) = Dif and curForm{d) ^ F{d) then 
guess a set F{d + 1) C Cl{<f, d + 1) such that 

if ^ F{d + 1) and for all G F{d), ^ G F{d + 1) 
d := d + 1 
newWorld := true 

accept 

The space used by this algorithm depends on the implementation of F and 
curForm. 

In the previous section, we mentioned that every subset of subformulas of <f 
can be represented as a bitstring of length \(f\, since every position in (f corre- 
sponds to at most one subformula of </>, and every subformula of (f corresponds 
to at least one position in (f. We can store even more information in such a 
bitstring, since every position in (f corresponds to at most one occurrence of a 
subformula of (f, and every occurrence of a subformula of (f corresponds to ex- 
actly one position in (f. Since the sets of occurrences of formulas in Cl{<f, d) and 
Cl{(f,d') in <f are disjoint for all d yf d' , this implies that we can represent the 
sequence of sets F{0), F{1), F{2), ... by a length \(f \ bitstring and also that we 
can represent curForm{Q) , curForm{l) , curForm{2), ... by a length \cf \ bitstring. 

This is looking good, since we are now using linear space to represent all 
relevant information of the algorithm. It remains to give the exact details of 
the representation and to show that we can encode and decode the relevant 
information into and from our representation without using more than linear 
space. 

We will start with the definition of the representation. For <f a formula and 
1 < * < such that the ith symbol in (f (denoted by (f[i\) is not a parenthesis, 
let (fi be the (f subformula with (f[i\ as main connective. The depth of i in cf, 
written as depth^{i) (or simply as depth{i) if (f is clear from context) is defined 
as the modal nesting depth of the occurrence of the (f subformula with as main 
connective the zth symbol in <f. 

The sequence of sets T(0), F{1), F{2), . . . will be encoded by bitstring F of 
length |(()| as follows. 
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— For all i, if <t)[i\ is a parenthesis, then r\i] = 0. 

— li (j)i = (pj and depth{i) = depth{j), then r[i] = F[j]. 

— r{d) = {ipi I = 1 and depth{i) = d}. 

The sequence of currently active formulas curForm{0), curForm{l), 
curForm{2), . . . will be encoded by bitstring curForm of length \<p\ as follows. 

— For all i, if is a parenthesis, then curForm[i\ = 0. 

— If curForm{d) is defined, then curForm{d) = (pi, where i is the unique i such 
that curForm[i] = 1 and depth{i) = d. 

— If curForm{d) is undefined, then there is no i such that curForm[i] = I and 
depth{i) = d. 

It is easy to see that given an index i, we can compute (pi and depth{i) in 
linear space, for example by a simple modification of the standard infix-to-postfix 
conversion algorithm. 

Now look carefully at the satisfiability algorithm. It is not hard to see that 
the whole algorithm can be implemented in linear space. (See below for the 
implementation of the relevant parts of the algorithm.) 

Implementation of the Relevant Parts of the Algorithm 

Computing curForm{d)\ 
for i := 1 to \(p\ do 

if curForm[i] = 1 and depth{i) = d then 
curForm{d) := (pi 

Setting curForm{d) to the next formula in Cl{(p, d) : 
for i := 1 to \(p\ do 

if curForm[i] = 1 and depth(i) = d then break 
curForm[i] := 0 
for j := t + 1 to \(p\ do 

if depth{j) = d then curForm[j] := 1; break 

Checking if 'tp G F{d): 
for i := 1 to \(p\ do 

if depth{i) = d and (pi = ip then 
Ip G F{d) if and only if F[i] = 1 

Guessing a set F{d) C Cl{(p,d): 
for i := 1 to \p\ do 
if depth{i) = d then 
new := true 
for J := 1 to i — 1 do 

if depth{j) = d and pi = pj then 
new:= false; F[i] := F[j]; break 
if new then nondeterministically set F[t] to 0 or 1 
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5 Satisfiability in Deterministic Linear Space 

In this section, we will show how to remove the nondeterminism from the nonde- 
terministic linear space algorithm from Section 0 without increasing the amount 
of space used. Just as in Section 0 note that the nondeterminism in the algo- 
rithm from Section 21 is used in a restricted way, namely in guessing a subset of 
Cl{(p, d) such that certain properties are satisfied. As mentioned in Section 0 we 
can remove this nondeterminism without increase in space by cycling through 
all possible subsets of Cl{cj), d) . 

The following deterministic version of the algorithm from Section 21 algorithm 
makes this more precise. Implementation details of the new parts will follow. 

d := 0; reject := false; newWorld := true 
r(0) := the first subset of CZ(0, 0) 
while d > 0 do 
if reject then 

if r{d) is the last subset of Cl{(f>,d) then 
if d = 0 then reject else d := d — 1 
else 

r{d) := the next subset of Cl{<j),d) 
reject := false 
newWorld := true 

elseif not newWorld and curForm{d) is the last formula in Cl{4>,d) then 
d := d — 1 

else 

if newWorld then 

if d = 0 and ^ T(0) then reject := true 

II a curForm{d — 1) = Uif, then we need a witness for Uif ^ F{d — 1) 
if d > 0 and curForm{d — 1) = nf) and ip S F(d) then reject := true 
if d > 0 and for some € F(d — 1) and f ^ F{d) then 
reject := true 
if not reject then 
if newWorld then 

curForm{d) := the first formula in Cl{(p, d) 
newWorld := false 
else 

curForm(d) := the next formula in Cl{(j), d) 
if curForm(d) = ->ip and not [ip ^ T(d) iff -^ip S T(d)] then 
reject := true. 

if curForm{d) = ip A ^ and not [ip A ^ G F{d) iff 
Ip € F{d) and ^ G A(d)] then reject := true. 
if curForm(d) = Hip and curForm{d) F{d) then 
r(d -I- 1) := the first subset of Cl{p, d -I- 1) 
d := d -I- 1 
newWorld := true 



accept 
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We will use newWorld to denote that r{d) is a new subset of Cl{<j),d). If 
newWorld is true, then we need to verify the desired properties of r{d). Since 
we are simulating all possible nondeterministic choices of sets r(d), we will use 
a variable reject that will be true if the current choice of F’s rejects. If reject is 
true, we need to proceed to the next possible choice of T’s. 

We will use the same encoding as in the previous section. It should be clear 
that we are using deterministic linear space to keep track of all the relevant 
information in the algorithm. It remains to show that we can implement the 
new steps in the algorithm in linear space. This proves the main result of this 
paper. 

Theorem 1. Modal satisfiability is in deterministic linear space. 



Implementation of the New Parts of the Algorithm 

Setting r{d) to the first subset of Cl{(j), d), that is, setting r{d) to 0: 
for i := 1 to \<j)\ do 
if depth{i) = d then 

m := 0 



Setting reject to true if for some £ F{d — 1) and ^ ^ r{d): 
for i := 1 to \(f>\ do 

if depth{i) = d — 1 and fii = and = 1 then 
for j := 1 to \<j)\ do 

if depth{j) = d and ^ and F[j] = 0 then 

reject := true 

It remains to show how to set F{d) to the next subset of Cl{4>, d) and how to 
detect if F{d) is the last subset of Cl{<j),d). Basically, we will view the bits F[i] 
such that depth{i) = d as a binary number, and set these bits to the next binary 
number, that is, we traverse the bits from right to left, changing every 1 to a until 
we see the first 0. Then change that 0 to a 1. However, we have to ensure that 
bitstring F properly encodes F(d), that is, if (pi = (pj and depth{i) = depth{j) = 
d, then F[i\ = F[j], We will repeat computing the next binary number until this 
is the case. 

repeat 

found := false 
for i := 1^1 downto 1 do 
if depth{i) = d then 
if = 1 then 

rw := 0 

else 

rw := 1 

found := true 

break 
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if found then 

// check if F properly encodes F{d) 
correct := true 
for i ;= 1 to \(f\ do 
for j := 1 to \4>\ do 

if depth{i) = depth(j) = d and 4>i = (pj and I^[z] F[j] then 
correct := false; break 
until eorrect or not found 
if not found then 

r{d) was the last subset of Cl{(p, d) 
else 

r{d) was set to the next subset of Cl{(j),d). 

6 What about Other Modal Logics? 

In the linear space encoding of the algorithms for modal satisfiability, we crucially 
used the fact that every satisfiable formula is satisfiable in the root of a tree and 
that every world in the satisfying model is at a unique distance from the root. It is 
easy to see that, using the methods from this paper, one can obtain deterministic 
linear space upper bounds for, for example, satisfiability with respect to those 
models where every world has at most k successors, and for the disjoint union of 
any number of K logics. (This satisfiability problem was shown to be PSPACE- 
complete in ^.) 

On the other hand, the constructions from this paper don’t directly apply to 
satisfiability with respect to all reflexive models (T satisfiability), or transitive 
models (K4 satisfiability), since in these cases worlds will not be at a unique 
distance from the root. Without this property, we are not able to encode all 
relevant formulas on a branch of the model in one linear length bitstring. 

However, we can construct satisfying K4 (transitive) and S4 (reflexive and 
transitive) models in quadratic space. In addition, we can keep track of all 
currently active □ formulas as one length n bitstring, as in the construction 
for curForm in this paper. This will lead to an O(nlogn) space upper bound 
for these two logics. The details of these constructions are tedious, and these 
0(n log n) bounds only tie the best-known bounds |bl7| . so we will not go into 
details. However, it does show that our methods are more widely applicable. 
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Abstract. This paper aims to define a complete semantics for a class of 
non-terminating logic programs. Standard approaches to deal with this 
problem consist in concentrating on programs where infinite derivations 
can be seen as computing, in the limit, some ’’infinite object”. This is 
usually done by extending the domain of computation with infinite ele- 
ments and then defining the meaning of programs in terms of greatest 
fixpoints. The main drawback of these approaches is that the semantics 
defined is not complete. The approach considered here is exactly the op- 
posite. We concentrate on the infinite derivations that do not compute 
an infinite term: this paper studies the operational counterpart of the 
greatest fixpoint of the one-step-inference operator for the C-semantics. 
The main result is that such fixpoint corresponds to the set of atoms 
that have a non-failing fair derivation with the additional property that 
complete information over a variable is obtained after finitely many steps. 



1 Introduction — Motivations 

In computer science, termination of programs is a traditional requirement. Logic 
programming does not escape from this influence and there exist many works 
about termination of logic programs. However, infinite behaviour of programs 
can be useful to model some situations and the study of nonterminating “com- 
putations” has received an increasing interest in the context of many program- 
ming paradigms: A-calculus, rewrite systems, logic programming, concurrent con- 
straint programming ^ ... In this paper, we focus on reactive logic programs (i.e., 
definite logic programs for which the behaviours of interest are both termninat- 
ing and non-termninating ones). In the held of logic programming, infinite SLD- 
derivations can be useful to model the infinite computation of an infinite object. 
As a typical example, with the program P — {LN(cc, [a;|Z]) ^ LN(S'(a:), ^)} we can 
obtain, from the query LN(/c, /o)> an infinite derivation computing at every step 
a better approximation of the second argument. The “final result” is the “limit” 
of the sequence of approximations and corresponds to the infinite sequence of 
integers starting from k. However, there exist infinite derivations which do not 
compute an infinite object. Such derivations can be useful to model a certain 
class of infinite processes. For example, let us consider the famous (simple) dining 
philosophers problem, introduced by Dijkstra as a model for resource sharing. 
In this problem, 3 philosophers Pi, P2 and P3 are sitting around a table in the 
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Fig. 1. The dining philosophers problem 



center of which there is a plate of spaghetti. Between each philosopher and his 
(or her) neighbour there is exactly one fork. A philosopher requires two forks to 
be able to eat and since there are exactly as many forks as there are philosophers 
it is not possible for all philosophers to eat in the same time. We can describe 
this problem by the logic program containing the following clauses, expressing 
that a philosopher can take a fork, drop a fork, or eat: 



p(0,x,j/) ^p{l,x,y) 
p{x,y,Q) ^p{x,y,l) 
P{^,x,y) ^p{0,x,y) 
P{x,y,l) ^P{x,y,0) 
eat(l) ^ p(l, X, 1) 



p{0,x,y) ^p{2,x,y) 
p{x,0,y) ^p{x,2,y) 
P{‘^,x,y) ^p{Q,x,y) 
P{x,2,y) ^p{x,0,y) 
eat(2) ^ p{2, 2, x) 



p{x,0,y) ^ p{x,3,y) 
p{x,y,0) ^p{x,y,3) 
p{x,3,y) ^p{x,y,0) 
p{x,y,3) ^p{x,y,0) 
eat(3) ^ p{x, 3, 3) 



( 1 ) 



where p is a 3-ary predicate whose three arguments describe respectively the 
state of the 3 forks (0 means the fork is free, i G {1,2,3} means the fork is 
taken by the philosopher Pi) and eat(i) means that the philosopher Pi can eat. 
With this program, every derivation from the query eat(i) is infinite and does 
not compute an infinite object. It just describes an infinite sequence of actions 
done by the philosopher^. 

The main approaches to assign some meaning to infinite derivations in “pure” 
logic programming occurring in the literature concentrate on the 

aspects related to the semantics of infinite objects and to the models for logic 
programs which take them into account. In this setting, the relevant notion is the 
one of computation (in the limit) of an infinite object. The sense of a “useful” 
infinite derivation is given by the notion of atom computed at infinity (i.e., an 
infinite atom A such that there exists a finite atom from which there exists an 
infinite derivation which “computes at infinity” A). However, these approaches 
are not satisfactory since if we consider a greatest fixpoint semantics over the 
domain of infinite terms, then programs like program 



P= {p(x) ^p{x)} 



( 2 ) 



have a non-empty denotation even if no atom can be computed at infinity with 
P. In fact, p{f^) is in the greatest fixpoint of the classical one-step-inference 

^ This behaviour may correspond to a livelock situation, however, onr interest in this 
problem is different. 
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operator associated to P even if p(/“) is not computable by an infinite derivation. 
The construction of the greatest fixpoint does not reflect how the infinite terms 
are constructed during a derivation. Hence, either such semantics 171^ are not 
complete, since there exist infinite atoms in the denotation of a program which 
are not computable by an infinite derivation, or the completeness is expressed 
as follows mnnn: 

A G gfp(Tp) H is the root of a fair derivation 

where H is a possibly infinite atom. Nevertheless, in this case, this “complete- 
ness” result is obtained by allowing infinite terms in queried which start SLD- 
derivations. For example, with program 0 , we can consider the derivation: 

p(f^) ~^P ■ ■ ■ “tp P{f^) ~^P ■ ■ ■ (3) 

This requirement is clearly stated in m- Nevertheless, this does not correspond 
to the standard operational semantics of logic programs as defined in m and 
one may wonder how queries containing infinite terms can be given. 

It is now well-known that standard semantics of logic programs can be ex- 
pressed by purely proof-theoretic methods |S|. The most immediate way to give 
such a semantics is to consider clauses as inference rules, rather than logic for- 
mulas, and then a logic program as a formal system. From this point of view, 
the denotation of a program is the set of theorems which can be derived in this 
system. Within this framework, (co-)inductive definitions are a natural way to 
define the denotation of logic programs. Since, proof-theoretically, we can look at 
a clause H ■<— i?i, • • • , as an introduction rule for A (or similarly as a construc- 
tor in an (co-)inductive definition), by following the Curry-Howard isomorphism, 
it is possible to represent clauses by constructors of a functional language and 
each proof can be viewed as a functional expression. Hence, in this paper, we 
focus on the correspondence between co-inductive definitions and logic programs 
(i.e., between proofs as functional expressions and proofs as SLD-derivations) . 
This will lead us to define a sound and complete semantics for the subclass 
of infinite derivations over the domain of finite terms (i.e., infinite derivations 
which do not compute any infinite term). One may question about the interest 
of such derivations which are often outcast as meaningless. However, as we said, 
such derivations are useful to model infinite processes which do not compute an 
infinite object. Furthermore, it seems that incompleteness of usual approaches 
comes from these derivations and this work complements the knowledge we have 
in this area. Due to space limitations, most of proofs are incomplete or omit- 
ted here. They can be found in a research report m The rest of the paper 
is organized as follows: the end of this section introduces the basic definitions 
and notations. Section El which can be omitted during the first reading, contains 
a (brief) discussion on the correspondence between SLD-derivations and proof 
terms, and last, section 0 presents a sound and complete semantics for infinite 
derivations over the domain of finite terms. 

^ In an implicit way, this implies the use of an adequate unification algorithm and the 
modification of the notion of atom computed at infinity. 
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Background and notations We assume here familiarity with the standard notions 
of (co-) inductive definitions and logic programming (Her brand semantics and C- 
semantics) as introduced in | |2I6I14I1^ . (Co- (inductive sets can be defined by 
some rules for generating elements of the set and by adding that an object is 
to be in the set only if it has been generated by applying these rules. Given 
a rule set <P (a rule is written e E, where E is a the set of premises, and 
e is the conclusion) a set A is said to be ^-closed (resp. <?-dense) if each rule 
in whose premises are in A also has its conclusion in A (resp. if for every 
a G A there is a set E C A such that {a ^ E) G <P). The set inductively 
(resp. co-inductively) defined by <P, written lnd(<?) (resp. Colnd(^)), is defined 
by lnd(<?) = n{H | A is <?-closed} (resp. Colnd(<?) = U{H | A is ^-dense}). These 
sets can also be expressed by using monotone operators: if is a rule set, we 
may define a monotone operator T,ji : 2® — >• 2®, where B = Ue-(-Ee'p{{e} U E}, 
by: 

T^{A) = {e G B\3 E G<P, E C A} (4) 



and then lnd(<?) = r\T^^A)CAA = lfp(7g,) and Colnd(^) = iJA<ZT^{A)A = gfp(Tf). 
S, n and X denote respectively a set of function symbols, a set of predicate 
symbols, and a set of variable symbols. Elements of Te[X] are (finite) terms over 
X\JE. A substitution 0 is a mapping from X to Ts[X] such that {x \ x ^ 0x} = 
dom{6) is finite. range{6) denotes the set {var{6x) \ x G dom{6)}. Composition 
of substitutions induces a preorder on substitutions {0i < 02 ^ fj,0i = 02) 
and on expressions (Ei < i ?2 O 3fj,, fiEi = E 2 ). A renaming substitution is a 
mapping a: X ^ X such that \/x, y G dom{a), x ^ y ^ o’(x) ^ cr{y). A mgu is 
a minimal idempotent unifier. The preorder < induces an equivalence relation 
~ (called variance): Ei Ri E2 iff there exist two renaming substitutions 0± and 
02 such that 0±Ei = E2 and 6 * 2^2 = E\. Atz:,n[X] denotes the set of (finite) 
atoms. Given a clause C G P, we write C~^ for its head and C~ for its body. An 
SLD-derivation with a program P is a possibly infinite sequence of transitions: 



C 9 

Ai, • • • , Afe, • • • , An -4p 0{Ai, • • • , Afc_i, Pi, • • • , P„, Afc_|_i, • • • , A„) 

^ V ' ' ,, ' 

R 6R[k<-C-] 



where 0 is a mgu of C~^ and A^ and where C is a variant of a clause in P, whose 
body is Pi, • • • , Pq. In an SLD-derivation from a goal Rq, the sequence of clauses 
Cl, C 2 , • • • is such thafl 



Vi > 1 var{Ci) fl (Uj<iUar(Cj) U var{Ro)) = 0 

As defined in an SLD-derivation is fair if it is either failed or, for every 
atom P in the derivation, (some further instantiated version of) P is selected 
within a finite number of steps. Given an atom A (resp. a program P), we write 
[A] (resp. |"P]) to denote the set of (not necessarily ground) finite instances of 
A (i.e., of clauses in P). Furthermore P also denotes all the variants of clauses 
in P. 



® As illustrated in this renamning process is crucial and has been explicitely 
considered in our proofs. All the derivations considered here satisfy this requirement. 
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2 Logic Programs as (Co-) inductive Definitions 

The fixed point semantics has long been used as a technical device. However, it 
corresponds to the “logic programs as inductive (co-)definitions” paradigm and 
can be considered as the logic program’s intrinsic declarative content. Indeed, 
many properties of logic programs are similar to these enjoyed by inductive defi- 
nitions. Recall that, as proved in a C-interpretation I (i.e., an upward closed 
subset of is a C-model of P iff Tp(/) C / and the model intersection 

property allows to consider the least C-model of P as the intersection of all C- 
models of P. Since Tp is exactly the operator P|-p^ obtained from the rule set [P] , 
as described by each C-model of P is a Tj-pi-closed set and, since Ind(Ppp^) 
is defined as the intersection of all T|-p-|-closed sets, we have M.% = lnd(|’P]). 
Now, since the body of each clause contains a finite number of atoms, T|'p] is 
continuous and we have the well-known result A4p = lfp(T|-p-|) = which 
only follows from properties of inductive definitions: the least C-model can be 
directly expressed by an inductive definition. This proof-theoretic approach is 
now well-known mm and has been used to extend logic programming lan- 
guages in order to increase the power of “pure” declarative programming. Now 
let us consider the “logic programs as co-inductive definitions” paradigm, from 
which the usual greatest fixpoint semantics is defined. The greatest fixpoint of 
the operator, defined over the completed Herbrand base (i.e., containing infi- 
nite atoms), associated to a program P, corresponds to the co-inductive set 
Colnd(|P]), where |P] denotes all the ground instances of clauses occurring in 
P over the completed Herbrand base. Hence, incompleteness follows from pro- 
grams like program (0) since for this program, the clause p(/“) ^ p{f^) is 
in |P] and therefore {p(/“)} is |P]-dense (i.e., T|p]-dense) and then we have 
p{f‘^) G Colnd(|P]). The incompleteness comes from the fact that clauses of |P] 
are expressed over a language richer than the language of programs and queries: 
by allowing infinite elements in queries, such an approach becomes complete 
(since we can obtain the derivation ©)■ 

In the context of type theory, T. Coquand 0, note that infinite objects 
can be constructively understood, without the consideration of partial elements 
or greatest fixed-points, through the explicit consideration of proof objects. As 
said in section □ by following the proofs-as-programs principle, we can look at 
a clause as a constructor of a functional language and then each proof can be 
represented as a functional expression. Like in a programming language, such 
expressions can be defined by recursion which corresponds to proofs where the 
result proved is used recursively. Of course, this cannot be considered to be a 
valid proof in general, and has to satisfy the guardedness property: “|3| in order 
to establish that a proposition (j) follows from other propositions (fi, ■ ■ ■ , 4>q, it 
is enough to build a proof term e for it, using not only natural deduction, case 
analysis, and already proven lemmas, but also using the proposition we want 
to prove recursively, provided such a recursive call is guarded by introduction 
rules.'" . Hence, by considering clauses as introduction rules, and since a clause 
is applied at each resolution step of a derivation, it is possible to establish a 
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correspondence between guarded (proof) terms in a co-inductive set and SLD- 
derivations (more formally, a term is said to be guarded (by constructors) if its 
definition is such that all the recursive calls of the definition are done after having 
explicitly mentioned which is (at least) the first rule to start building the element 
and such that no other functions apart from constructors are applied to recursive 
calls). Let us introduce two examples. With the program P = {p(a::) ^ p{f{x))}, 
we can obtain the derivation: 



p{z) 



Xl 

fi^l) 



P{xi) 



c 

— tp 



f(xi) 



p{Xi) 



proof of Vxi p(fixi)) 



which can be viewed as a proof of Vcc p{x), since the term: 



tt:=Xz.C 





is guarded by the clause (i.e., the rule) C and then defines for any z a proof of 
p{z) which belongs to Colnd(|"P]). The correspondence is immediate: the appli- 
cation of the constructor C corresponds to the first transition of the derivation, 
while the recursive call corresponds to the next ones (i.e., the derivation starting 
from the query p(/(xi)) - a proof of 'ixp{f{x))). Such derivations correspond 
to co-inductive proofs. However, this correspondence cannot be observed for in- 
finite SLD-derivations which compute infinite terms. Consider for example the 
program P — {p(f{x)) ■<— p(a::)} from which we can obtain the following infinite 
derivation computing the infinite term f^: 



p{z) 



z 




Xl 




^i-1 




Xi 


f{^l) 


V{xi) 


f(^2) 




f(^i) 


P{Xi) 




— >p 


>P 




>-P 


>P 



Such a derivation is both a computation (of the infinite term /‘^) and a proof 
that this infinite term is such that p(/“). However, the proof term of p(/“) is 
defined by: 

7t:= eq Jnd(/(/“),p, C'(/“, tt), /“, .^^) 

where C is the clause in P, where is a proof of /“ = and where eq_ind 

corresponds to Leibniz’equality: 



eq Jnd : Va: £ P, VP predicate on E, P{x) ^'iy € E [y = x) ^ P{u) 



Clearly, this proof term does not correspond to the infinite derivation computing 
the term /“. However, proof terms over finite objects do not use eq_ind and can 
be viewed as definitions of the sequences of clauses used in the corresponding 
derivations. 

^ Note that /“ is defined by a guarded by constructors definition (/“:=/(/“)) - pos- 
sibly infinite terms are co-inductively defined with function symbols as constructors. 
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3 Infinite SLD-Derivations 

over the Domain of Finite Terms 

Since the presence of infinite elements in the Herbrand base leads to incomplete- 
ness of the approaches based on greatest fixpoints, we focus in the following on 
infinite derivations which do not compute infinite terms. 



3.1 Proof Trees and Fair Derivations 

First, we define SLD-proofs (for the operational semantics based on SLD-resolu- 
tion) and proof trees (for the declarative semantics based on greatest fixpoint 
methods) as follows: 

Definition 1. An SLD-proof is either a refutation or a fair infinite derivation. 



Definition 2. Let be a rule set over B. A proof tree of x G B for <!> is a 
possibly infinite tree T such that x is the root ofT, and for every node z occurring 
in T with zi , • • • , as children, there exists a rule z <— zi, ■ ■ ■ , Zn € <P (if z is a 
leaf there exists a rule z L>). 

In the following, we say that T is a partial proof tree if T is a proof tree whose 
leaves do not necessarily correspond to a (unit) rule. We have the following 
well-known lemma. 

Lemma x £ Colnd(<?) iff x is the root of a proof tree for <L>. 

Furthermore, the proof tree is finite iff x S Ind(^) (for finitary (L). 

In the next subsection, in order to prove the completeness result, we will 
need to be able to “translate” a proof tree into an SLD-derivation. The following 
lemma shows how this translation can be done. 

Lemma 2. Given a rule set and an atom A S Colnd(<?), there exists an SLD- 
proof from A with <L> as program such that, for all i > 1, the mgu used during the 
i-th resolution step of the SLD-proof, is a renaming substitution whose domain 
coincides with the variables occurring in the head of the rule (i.e., the clause) 
used. 

Proof. If A G Colnd(^), then, by lemma P A is root of a proof tree T for <P. 
Number the arcs emanating from each node from left to right, starting with 1. 
Each node can be designated (indexed) by the word obtained by concatenating 
the numbers of the arcs of the path leading from the root to the node (e is the 
empty word). The breadth-first traversal of T produces a list C. Since T is a 
proof tree for L>, for each node A^ in T, there exists a clause Ct,% G <P which can 
be written Ai G- A^, • • • , A^^. Indexes of T can be ordered as follows: i A^ 

occurs before Aj in £. Zt = Avar{CT,i) is the set, possibly infinite, of variables 
occurring in T. It can be proved that given a clause Ctx G d>, a, renaming 
substitution Tq, such that range(rl) fl var{CT,i) = 0, and a set of variables Z^, 
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there exists a substitution 0,, a clause Ci and a renaming substitution r\ = tVq 
such that: 

var{Cj) n {var{rlCT,i) U Zj) = 0 ’’iC'tj = 

dom{9j) = var{Cf) range{r'^) = var{C^)\var{C^) 

where is an idempotent renaming substitution which is a mgu of and 
TqC^^. From C, we can define the following sequence of resolution steps: 



1 < k < rii 



= T{Ct,c, Sid, Zt), Uk = T {CT,ik,r}^,Zik) \ ’'i 



Zjfc = Z-r U U var{Cj) 



where T{Ct,%, ^o, Zi) denotes the transition 9iC^ and where std is 

the empty substitution. This definition is sound since we can prove by induction 
that Vj, range{rQ) n var{CT,%) = 0- Furthermore, it can be proved inj that this 
sequence defines an SLD-proof satisfying the desired properties (fairness follows 
from the breadth-first traversal of T). 

In this section, proof trees for a rule set ^ have been related to SLD-proofs 
with <P viewed as a program. The SLD-proofs obtained are such that the clauses 
used are not instantiated (they are just renamed). We will see that the ap- 
propriate rule set allowing to study infinite derivations, which do not compute 
infinite terms, is the rule set obtained from a program P by considering all the 
(finite) instances, not necessarily ground, of clauses in P. This corresponds to 
the C-semantics approach j^. 



3.2 SLD-Proofs over the Domain of Finite Terms 

SLD-proofs over the domain of finite terms are SLD-derivations which do not 
compute infinite terms. In a more formal way, they can be defined by: 

Definition 3. An SLD-proof over the domain of finite terms is either a 
refutation or a fair infinite derivation: 

Rq — >-p i?i — • • • — >-p Ri-i — >-p Ri — >-p ■ • • 

such that \/k > 0 3p > k \/q > p 9q - ■ ■ 9p - ■ ■ 9k+\Rk ~ 9p - ■ ■ 9k+\Rk- 

It is important to note that it does not suffice that the condition holds for 
the initial query. For example, with P = {q -4— p{x);p{f{x)) -4— p{x)}, even if 
during the derivation starting from g, each mgu 9i used is such that 9iq = q, 
this derivation computes the infinite term /“. A different characterisation of 
SLD-proofs over the domain of finite terms can be obtained from the following 
lemma, proved in H2[, and used during the proof of lemma E] 
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Lemma 3. A derivation Rq -Aip R\ — ?>p ••• — >-p Ki-\ — )-p Hi — fp ••• is an 
infinite SLD-proof over the domain of finite terms ifif'ii > 0, 3R, 'in > i + 1, 
&n0n-i ■ ■ ■ 0i+iRi < R, where R is a query (i.e., R does not eontain infinite 
atoms). 

C-semantics results correspond to SLD-refutations : 

Sp = {A (finite atom) | A ^ q and 9A = A} = lfp(T|-p^) = lnd(|’P]) 

Let us investigate infinite SLD-proofs over the domain of finite terms. The sound- 
ness theorem can be proved directly by using proof trees. 



' • • — >p Ri-i -fp Ri 



Theorem 1 (Soundness). If there exists an SLD-proof over the domain of 

finite terms Ai, - ■ ■ , An -^p Ri — tp ••• — tp Ri-i -fi^p Ri ~^p ■■■, then there 
exists k > 0, such that for all i (1 < i < n) 9k ■ ■ ■ 9\Ai S gfp(T|-p-|). 

Proof. We first prove the theorem for n = 1. By Tarski’s theorem and by 
lemma ^ it suffices to prove that for a natural k, there exists a proof tree 
of 9k - ■ ■ 01^1 for [P] . For this, let us define the sequence Ti, • • • , • • • of par- 

tial proof trees, such that every atom occurring in Ri is a leaf in Pj, which is a 
partial proof tree of 9i - ■ ■ 9iAi for [P] . Ti is obtained from the first transition: 
its root is 9iAi whose children (which are leaves) are all the atoms occurring 
in 9iCf . Since 9iC\ G [P] and 9iAi = diC)' , Ti is a partial proof tree of 
01^1 for \P~\. Suppose now that T„_i is a partial proof tree of 9n-i ■ ■ ■ diAi 
for [P] (corresponding to the n — 1 first transitions) such that atoms in P„_i 
are leaves of Tn-i. By applying the substitution to each node of T„_i, we 
get a partial proof tree of 9n---9iAi for [P] such that atoms in 0„P„_i are 
leaves. If A is the selected atom in P„_i, then A is a leaf of T„_i and 9nA 
is a leaf in the new partial proof tree. Now, it suffices to add all the atoms in 
9nC~ as children of (these children are leaves). In this way, we obtain a 
partial proof tree satisfying the desired properties. Because the derivation 
does not compute infinite terms and therefore there exists a natural k > 0 such 
that for all <7 > fc, 9g ■ ■ ■ 9k ■ ■ ■ 9iAi fa 9k ■ ■ ■ 9iAi, by iterating this process, we 
obtain a proof tree of 9k ■■ ■ 9iAi for [P] . Furthermore each leaf corresponds to 
a unit clause of [P] since the derivation is fair. For n > 1, the proof is sim- 
ilar: instead of building a sequence of partial proof trees, we build a sequence 
((T),- • • , P"), • • • , (T),- • • , P”), • • •) of tuples of n partial proof trees for [P] 
such that 9i ■ ■ ■ 9iAj is the root of T) (1 < j < n) and each atom occurring in 
Ri is a leaf of P/ for a j. 

Since, by lemma 0 there exists an SLD-proof with the program [P] from 
each atom occurring in Colnd(|"P]), lemma 0 describes how to “translate” an 
SLD-derivation with |"P] into an SLD-derivation with P. It can be viewed as a 
“program lifting lemma” playing the same role as the (classical) lifting lemma 
in the proof of the (classical) completeness theorem. 

Lemma 4 (Program lifting lemma). If there exists an SLD-proof: Aq — 

C ■ 9 ' 

Ri — ti-p] ••• — tfp] Pi -1 ~t|-’p’-] Ri — tj-p] ••• such that for all i > 1, 9i is 
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an idempotent renaming substitution such that dom{9i) = var{Ci^), then there 
exists an SLD-proof over a the domain of finite terms: Aq ^ R\ 

R[_i Ri — >-p • ■ ■ such that for all i > I, CiAo = Aq, Ci = pLiCp^i and 

Ri = PiR[ where pi is the restriction of 9iPi9i-ip,i-i ■ ■ ■ 9ipi to the variables 
occurring in Rp 

Proof. It can be proved ini that there exists a set {Cpp, •••, Cp^i, •••} of variants 
of clauses of P such that each Cp^i satisfies Ci = piCp^i where pi is an idempotent 
substitution such that dom{pi) = var(Cp^i) and 

Vj > 0 var(Cp^i) fl (var{Ao) U Ui<j<iUar(Cpj) U Uj>ivar(Cj)) = 0 

• For the first transition. By definition = 9iCi = 9ipiCp^. Further- 

more, since var(Cp^i) fl var{Ao) = 0, and var{Ci) fl var{Ao) = 0, we have 
9\PiAq = Aq — It can be proved m that the restriction cti of 9\pi 

to var{Cp^) is a mgu of Aq and and we get the transition Aq ^^p^ R'^. 
(JiAq = Aq follows from 9iPiAq = Aq. Now, let pi be the restriction of 9\pi to 
var{R'i) and let us prove that piR'i = piOiCp^ — 9ip\Cp^ = 9\Cf = R\. Let 
V £ uar(Cpj^), two cases are possible. If p £ var{C'^^), then aiv = 9ipiv and 
we can conclude since 9ipi9ipiv = 9ip\v. Else, if u ^ par(Cp j^), then we have 
piUiv = piv = 9ipiv which settles the claim. 

• For the i-th transition. If A is the selected atom in Ri-i at position k, then 
there exists an atom A' occurring at position k in R'i_i such that A = pi-iA' 
and we get 9iPi-\A' = 9tpiCp^. From dom{pi-i) C var{R[_i) and var{Ri_f) C 
(Ui<j<iPar’(C'pj)Uuar(Ao))i it follows pi-iCp^i = Cp^i and therefore 9iPi-\A' = 
9iPiPi-\Cp p Furthermore, dom{pi) = var{Cp^i) and we have piA = A. Hence 
we have 9iPiPi-\A' = 9iPiPi-iCp p and since 9ipi ■ ■ ■ 9 \piAq = Aq, there ex- 
ists a mgu ai of A' and Cp^ such that aiAQ = Aq and for a substitution 

Pi, we have piai = 9iPiPi-\. Hence, we get the transition R[_i A‘p‘ Ri. 
Since (Ji is idempotent, we have 9iPiPi-\ai = piCfiUi = piOi = 9iPiPi-\ and 
it follows 9iPiPi-iR'i — Ri. Finally, we prove by induction that 'in > i + 1, 
PnCTnO'n-i ' ' ’ o’i+iR'i = Ri. Hence, since Ri contains only finite atoms and for all 
n > i + 1, we have • • • aipiRi < Ri, by lemma0 the derivation obtained 

is a derivation over the domain of finite terms. 

We are now in position to prove the completeness theorem. 

Theorem 2 (Completeness). If A G gfp(T|-p-|), then there exists an SLD- 
proof over the domain of finite terms: 

A — Vp — yp ■ ■ ■ — yp Rj^_i ~Vp Ri — yp ■ • • 

such that for all i > 1, (JiA = A 

Proof Immediate by Tarski’s theorem, lemma El and lemma E| 
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Hence, if we consider program o, since eat(f) G gfp(Tppi), there exists an 
SLD-proof over the domain of finite terms from eat(i). Another typical example 
is the program containing the clauses : 

path(a;,x) t— ; path(a;, 2 ) t— edge(x, y), path(j/, 2 ) 

and testing connectivity in a directed graph. When the graph considered is cyclic, 
there exists an infinite derivation over the domain of finite terms from the query 
path(s,a;), where s is an arbitrary node occurring in the cycle, which can be 
viewed as a proof of \/x path(s, x). 

3.3 Infinite SLD-Derivations Which Do Not Compute Anything 

The derivation obtained by lemmaElis a special case of a derivation which does 
not compute infinite terms: such a derivation does not compute anything since 
the mgu’s used are just renaming substitutions. For this subclass of derivations, 
we can prove a supplementary result concerning unfair derivations. For this, let 
= {9C \ C G P, dom{9) C uar(C+)} and from which we can define a 
monotone operator T|-p-j + , as described by (0. Unfair infinite derivations which 
do not compute anything can be viewed as partial proofs. Recall that given a 
derivation: 

i?o p Ri Ri-i p Ri ~tp ■ • • 

for all z > 1 we have P \= Ri => P 6i - ■ ■ OiRq. This result can be generalised 
by considering Poo = Up>o rip<„ P„. 

Theorem 3. Let P be a program and Aq be an atom. If there exists an infinite 
C 9 C ■ 9 • 

derivation Rq = Aq p R\ -^p • • • — >-p Pi_i Wp Ri -^p • • • such that for 
all i > 0, dom{9i) C var(Cf), then: 

Roo C gfp(T|-p^ + ) ^ Ao G gfp(T|-p^ + ) 

Proof. Suppose that Up>o rip<„ P„ C gfp(T|-p^ + ) and let us prove that Aq G 
gfp(T|-p-] + ). For this, by Tarski’s theorem and by lemma ^ it suffices to prove 
that there exists a proof tree T of Aq for [P]’^. Let us define the sequence 
Ti, • • • , Pi, • • • of partial proof trees such that every atom occurring in Ri is a 
leaf in R. Ti is obtained by considering the first transition: its root Aq = 9\Aq 
has atoms in Pi = 9\Cf as children. We show now how we can obtain P„ from 
T„_i. We know that atoms occurring in P„_i are leaves in T„_i. Let A be the 
selected atom in P„_i, since dom{9n) C var{Cf[), P„ is obtained by adding 
atoms occurring in 9nC~ as children of A. Since, P„ = 9nRn-i[k G- C~] = 
Rn-i[k t— 9nC~], Tn is a partial proof tree of Aq for [P]'*' such that every atom 
occurring in P„ is a leaf in P„. By iterating this process, we obtain a partial 
proof tree Pqo whose leaves are either the head of a unit clause in [P] or an 
atom in Poo, which is, by hypothesis, in gfp(P|-p^ + ) and correspond, by Tarski’s 
theorem and by lemma D to the root of a proof tree for [P]’*’. Therefore, by 
adding in Too these proof trees at the corresponding leaf, we obtain a proof tree 
of Aq for |"P] + . 
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This theorem is not a special case of theorem |21 it just gives another way to 
interpret a subclass of infinite derivations. For example, if we consider the deriva- 
tion we can obtain with program (P|), from the query p{x), then, by theorem 0 
we have p{x) S gfp(T|-p-|) while by theoremEl we just have p{x) G gfp(T|-p^ + ) 
p{x) € gfp(T|-p^ + ) since for this derivation we have i?oo = p(x). Such a semantics 
works well for programs whose clauses do not contain existential variables (i.e., 
var{C~) C var{C^)), since in this case we have [P] = [P]'*". 

4 Conclusion 

In this paper, semantics of nonterminating derivations has been investigated 
within a proof-theoretic framework: clauses have been considered as construc- 
tors of a co-inductive definition. Following this approach, a semantics for the 
class of infinite derivations which do not compute infinite terms has been de- 
fined and proved sound and complete by using purely proof-theoretic methods: 
an atom is the starting point of an infinite derivation over the domain of finite 
terms if and only if it is in the greatest fixpoint of the transformation Ffp] . The 
restriction to the class of derivations over the domain of finite terms is justi- 
fied by incompleteness results of other approaches, considering infinite terms, in 
which the greatest fixpoint construction, corresponding to the “logic programs 
as co-inductive definitions” paradigm, is not equivalent to the operational se- 
mantics. In fact, in sectionO, by considering this identification at a deeper level, 
we have seen that co-induction is too rich to give a semantics to nonterminating 
SLD-derivations. This observation explains why most attempts to give a com- 
plete semantics to derivations computing infinite terms have not been successful. 
Therefore, while all the approaches existing in this area are based on the concept 
of “atoms computable at infinity” , we have presented a semantics based on the 
concept of “atoms provable at infinity” . 

It seems that the operational notion of “computability at infinity” (associ- 
ated with infinite derivations computing infinite terms) is better captured by 
a least fixpoint characterisation. This idea has been developped by G. Levi 
and C. Palamidessi in In an order-theoretic framework (involving algebraic 
CPO), they consider the “final result” of an infinite derivation as the limit of 
a sequence of approximations, characterised by a least fixpoint semantics based 
on a modified version of the programs. Then, infinite objects in the denotation 
of a program are characterised by the topological closure of lfp(Tpu(; 7 (p)) (where 
C{P) is the set of added clauses): each infinite element is the least upper bound 
of a directed set (of finite elements which are its partial approximations) included 
in lfp(TpuC(P))- However, the semantics obtained is sound but not complete. 

Of course, a satisfactory semantics for all infinite derivations from a logic 
program has not yet been found. However, even if the results proved in this 
paper may seem unsurprising, they allow us to gain a better understanding of 
the problem. In fact, current approaches in this area only give meaning to infinite 
derivations that compute at least an infinite term and ignore derivations over 
the domain of finite terms. 
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Abstract. We show that the addition of name induction to the theory 
EETJ + (TIem-In) of explicit elementary types with join yields a theory 
proof-theoretically equivalent to IDi. 
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1 Introduction 

In this paper, we introduce a theory of explicit mathematics which is proof- 
theoretically equivalent to the well-known theory IDi of non-iterated positive 
arithmetical inductive definitions. 

Explicit mathematics was introduced by Feferman to formalize Bishop-style 
constructive mathematics |I-eiV5lI-eiV!)| . In the following, it turned out that this 
framework is important for proof-theoretic studies of subsystems of analysis and 
Kripke-Platek set theory. Moreover, it provides a very useful account to theoret- 
ical computer science, particularly, it is well-suited for the study of functional 
and object-oriented programming, cf. lkeHj(ikeHlHkeHl‘ilMtaf)7IMtahl^lMtu()xl . 

Theories of explicit mathematics are formulated in a two sorted language. The 
first-order part, consisting of so-called applicative theories, is based on partial 
combinatory logic which can be extended axiomatically by additional constants, 
cf. |.l KS99] . Types build the second sort of objects in explicit mathematics. They 
are extensional in the usual set-theoretic sense, but a special naming relation due 
to Jager EMI allows us to deal with names of the types on the first-order level. 
These names show an intensional behaviour. 

There exist a wide variety of theories of explicit mathematics. The proof- 
theoretic strength of the different theories cover a broad part of the landscape of 
mathematical theories. Nevertheless, the theory presented here is the first theory 
of explicit mathematics equivalent to IDi. 

The well-known theory IDi of non-iterated inductive definitions is one of 
the most prominent theories in proof theory. Formalizing least fixed points of 
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positive arithmetical operator forms, it can be regarded as the most elementary 
impredicative theory. Going back to Kreisel Elisni, its proof-theoretic study 
(and the study of its iterations) can be found in |Eet70lljh PS81IPoh89| . 

In order to get a theory with the proof-theoretic strength of IDi, we will add 
the concept of name induction to the theory EETJ of explicit elementary types 
with join. That means that names of types can be built by use of generators 
only, i.e. that the naming relation 5ft is, so to say, least. 

In the context of Martin-Lof’s type theory, this leastness condition corre- 
sponds to certain elimination rules which have first been considered by Palm- 
gren and later by Rathjen, also in connection with universes, IPall)8IGfif)4l . For 
applicative theories, the concept of name induction in the presence of universes 
is studied in detail in a joint work with Jager, HESIEj. The theories studied 
in that paper exceed the strength of IDi substantially by having proof-theoretic 
strength of Feferman’s theory Tq. For the notion of proof-theoretic strength, we 
refer to Feferman |FelS8IFefnx|. 

In type systems dealing with record or object types the concept of structural 
rule is important. Simplifying, we can say that these rules rely on the assumption 
that the universe of types consists of record or object types only, cf. e.g. jsnnu. 
Name induction can be seen as a generalization of this idea since it allows us 
to prove that the only types that exists are those which are created by the 
generators. 

The structure of the paper is as follows. In the next section, we introduce the 
theory NEM of explicit mathematics with name induction and state some basic 
results. As the core of the paper, we prove in Section 3 that NEM allows for the 
definition of accessible parts. This result is used in the fourth section to give an 
interpretation of a theory equivalent to IDi, in NEM. In the final section, 

we describe a model of NEM which can be formalized in IDi. 

A substantial part of the work of the first author was elaborated while visiting 
Sol Feferman at Stanford University under support of the Deutsche Forschungs- 
gemeinschaft. The work of the second author is supported by the Schweizerische 
Nationalfonds. This article benefits from fruitful discussion with Gerhard Jager. 

2 The Theory NEM of Explicit Mathematics 
with Name Induction 

2.1 Explicit Mathematics 

In this section, we present the theory EETJ of explicit elementary types with 
join. 

The underlying language £em is comprised of 

— individual variables a, b, c, /, u, v, w, x, y,z , . . ., 

— type variables A, B, S, T, U, V, X, Y,Z ,.. ., 

— individual constants k,s (combinators), p, po,pi (pairing and projections), 

0 (zero), S|\| (successor), pn (predecessor) and Jn (definition by numerical 

cases). 



358 



R. Kahle and T. Studer 



— generators which are special individual constants, namely nat (natural num- 
bers), id (identity), co (complement), int (intersection), dom (domain), inv 
(inverse image) and j (join), 

— one binary function symbol • for (partial) application of individuals to indi- 
viduals, 

— unary relation symbols j, (defined) and N (natural numbers) and 

— binary relation symbols G (membership), = (equality) and 5R (naming or 
representation) . 

Individual terms (r, s, t, ri, Si, ti, . . .) of £em are built up from individual 
variables and individual constants by means of the function symbol •. We use 
(st) or st as an abbreviation for (s • t) and adopt the convention of association 
to the left, i.e. siS 2 . . . Sn stands for (. . . (si • S 2 ) . . . s„). 

Atomic formulae of £em are N(s), sf,s = t,U = V,s€lI and 5i(s, U). N(s) 
means that s is a natural number, sj, means that s is defined or s has a value. 
5R(s, U) is the naming relation, expressing that the individual s represents the 
type U or is a name of U. 

The formulae of £em (v, '*/’;■■•) are built up from the atomic formulae by 
use of the usual propositional connectives and quantification in both sorts, over 
individuals as well as over types. 

A formula which contains neither quantifiers over types nor the naming re- 
lation Ji is called elementary. 

As abbreviations, we use: 



t' 


= sn£ 


(s,t) 


= Pst, 


s :^t 


= sj, V tj, — >■ s = t. 


s ^ t 


= sf A tf A -i(s = t), 


S e N 


= N(s), 


3x G N.(/?(x) 


= 3x.x G N A (p{x), 


Vx G N.(/?(x) 


= Vx.x G N — ‘p{x), 


s € t 


= 3X.ift{t,X) A s G A, 


3x G s.ip{x) 


= 3x.x G s A ^{x), 


Vx G s.ip{x) 


= Vx.x G s — >■ V^(x), 


K(s) 


= 3A.5R(s,A). 



The logic for the first-order part of theories of explicit mathematics is Bee- 
son’s classical logic of partial terms, cf. |Ree85ITvD88) . The second order part is 
based on classical logic with equality. 

The nonlogical axioms of EETJ can be divided into the following groups. 



A Theory of Explicit Mathematics Equivalent to IDi 



359 



I. Applicative axioms. 

(1) kab = a, 

(2) sa64, A sa6c ~ ac(bc), 

(3) Po(a,b) = a A pi(a,b) = b, 

(4) 0 G N A Vx G N.x' G N, 

(5) Vx G N.x' 0 A Pn( 2 ;') = x, 

(6) Vx G N.x 0 — >■ pnx G N a (pns^)' = x, 

(7) a€NAb€NAa = b->- d^xyab = x, 

(8) aGNA&GNAay^6— 7> di\ixyab = y. 

II. Explicit representation and extensionality. 

(1) 3xM{x,U), 

(2) K(a, U) A 5?(a, V)^U = V, 

(3) {Wx.x eu^xeu)^u = v. 

III. Basic type existence axioms. 

Natural numbers 

Ji(nat) A Vx.x G nat gg N(a;). 

Identity 

5i(id) A 'ix.x G id GG 3y.x = {y,y). 

Complements 

5i(a) — t 5i(co(a)) A \/x.x G co(a) gg x ^ a. 

Intersections 

5i(a) A t 5i(int(a, b)) A Vx.x G int(a, &)GGxGaAxG6. 

Domains 

5i(a) — 7> 5i(dom(a)) A Vx.x G dom(a) GG 3y.{x, y) G a. 

Inverse images 

ift{a) — t 5i(inv(a, /)) A Vx.x G inv(a, f) ^ fx G a. 

Joins 

K(a) A (Vx G aM{fx)) -A K(j(a, /)) A S{a, /, j(a, /)), 

where 27(a, /, b) means that b names the disjoint union of / over a, defined as 
S{a, f, b) := Vx.x G & GG 3y, z.x = {y, z) A y G a A z G fy. 

IV. Uniqueness of generators. With respect to £em, it is given by the collection 
(£em-UG) of the following axioms for all syntactically different generators xq and 
xi and arbitrary generators s and t of £em : 
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(1) ro ^ ri, 

(2) yx.sx ^ nat f\sx^ id, 

(3) Vcc, y.sx = ty — ?> s = t A x = y. 

EETJ is the theory consisting of all axioms of the groups I. - IV. 

As addition to the axioms of EETJ, we will consider the induction principle 
(£em-In)> the schema of complete induction on N for arbitrary formulae ip{u): 

(JJem-In) </5(0) a (Va; £ N.(^(a;) -A ^{x')) -A Wx G N.(p(a;) 

It is a well-known result that we can introduce A abstraction and recursion using 
the combinator axioms (1) and (2), cf. |VeiV5lljee8fe| . 

Proposition 1. 

1. For every variable x and every term t o/£eM; there exists a term Xx.t of 
£em whose free variables are those oft, excluding x, such that 

EETJ h Xx.t 4- A (Xx.t) X e^t. 

2. There exists a term rec o/£em such that 

EET J h rec / I A Vx.rec / a; ~ / (rec /) a;. 

Our definition EETJ is based on a finite axiomatization of elementary compre- 
hension. This approach is essential for the formulation of name induction below. 
In contrast, the original definition of EETJ employed an infinite axiom schema. 
A theorem of Feferman and Jager shows that this schema is derivable 

from the finite axiomatization. 

Lemma 1 (Elementary comprehension). Let (f be an elementary £em for- 
mula with no (distinct) individual variables other than Zi,. . . ,Zm-i-i ond no (dis- 
tinct) type variables other than Zi, . . . , Z^- Then there exists a closed individual 
term t o/£em, depending on ip, such that EETJ proves for all individual terms 
a = ai, . . . , Qm, b = bi, . . . ,bn and type terms S = Si, . . . , Sn that: 

1. ^{b,S) -A K(t(a,6)), 

2. K(b, S) -A ^x{x G t{a, b) £->• p[x, a, S']). 

Informally, we will write {x : </j(a;)} for the collection of all individuals c 
satisfying p{c). Using this notation, the lemma expresses that, for elementary 
formulae p[u,y,Y], the following hold: 

1. {x : p[x, a, S]} is a type, 

2. there is a name t{a, b) for this type which is given uniformly in the individual 
parameters and the names of the type parameters. 
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2.2 Name Induction 

In this section, we define the schema of name induction. This induction principle 
states that names can be defined by means of generators only. Because, in a 
certain sense, names can be seen as intensional representations of sets, we get 
an intensional version of G induction. 

In order to state the formal definition of name induction, we introduce as 
auxiliary notation the closure condition C{(p, a) as the disjunction of the following 
formulae: 

(1) a = nat V a = id, 

(2) zlx.a = co(a;) A 

(3) 3x,y.a =\nt{x, y) A (fi{x) A ip{y), 

(4) 3x.a = dom(a;) A (^(cc), 

(5) 3f,x.a=\n\/{f,x) A^{x), 

(6) 3f,x.a = ]{x,f) A ip{x) A Vy G x.ip(fy). 

The schema of name induction is now given by 

(^Cem-Ik) {\/x.C{(fi,x) -A V3(a;)) -f Vx.K(a;) (p{x), 

for arbitrary formulae (p{x) of £em- 

The theory NEM of explicit mathematics with name induction consists of the 
axioms of EETJ plus (>Cem-In) and (/1 em-Ik)- 

As a first consequence of (/Iem-Ik)) we prove name strictness which, more 
explicitly, says the (appropriate) arguments of generators of names are names, 
too. This is represented by the conjunction Str(5ft) of the following clauses: 

(1) Va;.5i(co(a:)) — >■ K(x), 

(2) Vx, y.5i(int(a;, y)) — >■ 5i(a;) A 

(3) Vx.5i(dom(a;)) -T 5i(a:), 

(4) V/,a;.K(inv(/,x)) -)> K(a;), 

(5) V/,a;.K(j(x,/)) K(x) A Vy G x.ifi{fy). 

To show Str(5ft) in NEM, we first note that the closure of the names under 
condition C is guaranteed by the type existence axioms of EETJ: 

EETJ hC(5?,a:) ^ 5?(a;). 

Lemma 2. NEM h Str(5ft). 

Proof. The proof is straightforward using (JJem-Ik) on the formula C(5ft, a;), i.e. 
we have 

(Vx.C(C(5?,a;),a:) ^ C(5?,x)) ^ Va:.5?(a;) ^ C(K,x). 

The premise follows immediately from the preceding remark and the fact that 
(f occurs only positively in C{{p,x). From the consequence Vx.5ft(a;) -A C(5ft, x) 
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we get the required conclusion Str(5ft) by substituting the different names. For 
example, for clause (5) we have 

5?(j(x,/))^C(5?,j(a:,/)) 

^ z.\{x, f) = j(z, g) A J?( 2 ) A Vy G zM{gy) 

~^3g,z.x = z A f = g A K(z) A Vy G zM{gy) 

5i(a;) A Vy G xM{fy) 

For this argument, the uniqueness of generators (£em-UG) is essential. 

3 Accessible Parts in NEM 

For the proof-theoretic analysis of NEM, the crucial property is the possibility 
of defining accessible parts. This will be used in the next section to embed the 
theory in NEM. 

Let us introduce the following abbreviation: 

Closed(a, 6, (p) := Vs G a.(Vy G a.(y, s) G & — >■ <p{y)) -A ip{x). 

If 6 is a name for a binary relation, then Closed(a, 6, i^) expresses that p holds 
for all elements c G a if it holds for all predecessors of c in a with respect to the 
relation named by b. 

Using this abbreviation we can state the following proposition which is the 
essential step of the embedding of 

Theorem 1. There exists a formula Acc{a,b,x) such that NEM proves for ar- 
bitrary formulae p{x): 

(Acc.l) 5i(a) A lft{b) — >■ Closed(a, 6, Acc(a, 6, •)), 

(Acc.2) 5i(a) A 5i(6) A Closed(a, 6, (^) — >■ Vs.Acc(a, 6, s) — >■ ip(x). 

Proof. Let us assume 5i(a,Al) and B). We set = {y G A\{y,x) G B}, i.e. 
the subset of A consisting of all i?-predecessors of x. By elementary comprehen- 
sion, there exists a closed term pd so that 3?(pd (a, b, x),A^). 

By use of the recursion theorem, we can define a term f satisfying the equa- 
tion: 

f (a, 6, c) ~ j (pd (a, b, c), Ay.f(a, b, y)). (*) 

Hence, f maps an element c G A to the disjoint union of all f-images of B- 
predecessors of c. Using f, we define the formula Acc in the following way: 

Acc(a, b,c) := c G a A 5i(f (a, b, c)). 

If Acc(a, 6, c) holds we say that “c is accessible” . The idea of its definition is 
the following, pd (a, b, c) is the name of the set A^ which contains of all B- 
predecessors of c in A. Using join, we associate this set with a set of elements 
which can be proven to be names if f (a, 6, c) is a name. This trick allows us to 
encode arbitrary objects of our language by names, and then name induction 
can be used to prove the required properties. 
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(Acc.l) To show Closed(a, b, Acc(a, b, •)), we choose an element c of A such that 

Vy S a.{y, c) € b ^ Acc(a, 6, y). 

The definition of pd yields 

Vy.y G pd (a, 6, c) ^ Acc(a, 6, y). 

This implies by the definition of Acc that 

\/y.y G pd (a, b, c) -)> 5J(f (a, 6, y)). 

From the axioms about join, we obtain 

5?(j (pd (a,b,c),f)). 

By the equation (*), this means 5J(f (a, b,c)). Together with the assump- 
tion c G a we have Acc(a, b, c). Since c was chosen arbitrarily, the proof 
of Closed (a, 6, Acc) is completed. 

(Acc. 2) To prove the second assertion we first show two auxiliary statements 
(A) and (B). 

(A) says that if c is accessible, then all its b predecessors are accessible, 
too. 

Acc(a, b, c) — >■ (Vx G pd (a, b, c).Acc(a, b, x)). (A) 

Assuming Acc(a, 6, c), we get by (*) that 5R(J (pd (a, 6, c), Ay.f(a, 5, j/))) 
holds. Then Va: G pd {a,b,c)M{f{a,b,x)) is a consequence of Lemma El 
about name strictness. To complete the proof of (A), we have to check 
that Vx G pd ( a,b,c).x G a, which immediately follows from the defini- 
tion of pd. 

In order to formulate the assertion (B), we define an additional formula 
ip(p{u, V, w) depending on a formula (p{x) which will be used as induction 
formula in the schema of name induction. Using the definition of f, here 
we “replace” an arbitrary objects by their associated names. 

V'<^(a, 6, u) := Vy.Acc(a, b,y) A f (a, b,y) = u^ (p{y). 

Now, the statement (B) reads as 

Closed(a, b, ip) A C{tp^{a, b, ■),u) -A ipvio,, b, u). (B) 

For the proof of (B), we assume Closed(a, 6, A C{ilJtp{a,b,-),u) and 
Acc(a, 6, c) A f (a, 6, c) = u, from which we have to show ip{c). From the 
last assumption, we get by (*): 

M = j (pd (a, &, c), Xy.f{a, b, y)). 

Uniqueness of generators and clause (5) of b, •), u) yield 

Va: G pd {a,b,c).^|:^{a,b,f{a,b,x))). 
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By the definition of this reads 

\/x € pd (a, &, c).Vy.Acc(a, b,y) A f (a, b, y) = f(a, b, x) -A (p{y). 
Choosing x for y, we get 

Va: € pd (a, b, c).Acc(a, b, x) —>■ (f(x). 

Assuming Acc(a, 5, c), we obtain by (A) that Vx G pd (a, b, c).Acc(a, b, x) 
holds. So we have 

Vx G pd (a, b, c).if{x). 

But this is the premise of the assumption Closed(a, b, ip) and we get A(c). 
Thus, (B) is proven. 

To prove the second assertion (Acc.2), we now take an arbitrary formula 
p(x} and assume Closed (a, b, p) and Acc(a, b, x). For the first assumption 
(B) yields 

Vy.C{tl)^{a, b, -),y) ^ b, y). 

This is just the premise of name induction for il)^{a,b,y) and we get 
from (£em-I5r) 

VyM{y) -A ilj^{a,b,y). 

By the definition of 2/)» 

VyM{y) -A Vx.Acc(a, 6, x) A f (o, b,x) = y ^ ^{x)- 

Since the assumption Acc(a, 5, x) implies 5R(f (a, 6, x)), we can choose y 
as f (a, b, x) and all premises are satisfied. Therefore we finally obtain 
the required result p{x). 

In this proof we followed the presentation of the corresponding proof in j.TKSOxj . 
where the principle of inductive generation is verified in the presence of universes. 

4 Modelling in NEM 

To show the lower bound of NEM, we will embed the theory of aecessibility 
elementary inductive definitions, cf. jBFPSSlIC la,n96| . Let £i be the language 
of Peano arithmetic. In order to obtain £|d, we extend this language by adding 
new unary predicate symbols for every formula p{x,y) of containing two 
distinct free variables. For the definition of we extend the axioms of PA to 
the new language, including formulae induction for arbitrary C\o formulae, and 
add for each new predicate symbol and each L\o formula ip the following two 
axioms: 



(IDfFl) Vx.{Vy.p{x,y) -A T’c^(y)) P<^(x) 

(IDfF2) {Vx.{Vy.p{x, y) -A -ipiy)) -A ip{x)) -A Vx.V,p{x) -A %f{x) 



A Theory of Explicit Mathematics Equivalent to IDi 



365 



It is well-known that Peano arithmetic can be embedded in EETJ -|- (£em-In), 
indeed in its applicative fragment B0N4 -(£em-In)) using an interpretation , cf. 
CM . This interpretation translates formulae of Ci into elementary formulae 
of £eivi- Thus, by elementary comprehension we get for every binary formulae 
(p{x,y) of Cl a name for the corresponding type, i.e. EETJ proves that t^pN 
is a name for {{x,y)\x G N A y S N A ip^{x,y)}. These names will be employed 
in the proof of the following theorem to represent the binary relations which are 
used in the definition of 

Theorem 2. There exists a translation from £|d to £em such that 

IDi“ h => NEM h 



for all £|d formulae (p. 

Proof. To interpret in NEM we extend the translation by setting 

[V^ix)]^ := Acc(nat,t^iv,x), 

where Acc(x, y, z) is defined as in Theorem^ Then the proof runs by induction 
on the length of the derivation of h (p. In addition to the embedding of PA 
in EETJ, we need only to check the axioms for the new predicate symbols. The 
translation of (ID^^.l) reads as 

\'ix.{'iy.ip{x,y) Vcpiy)) Vp(x)]^ 

GA Vx G nat.(Vy G nat.ip^{x, y) -A Acc(nat, tpN,y)) — ^ Acc(nat, t^N,x) 

GA Closed(nat,t^iv, Acc(nat, •)). 

Since the last line is an instance of (Acc.l) of Theorem Q this axiom is verified. 
In the same way, (ID^“.2)^ follows from (Acc.2): 

[(yx.(yy.ip{x,y) -)> if{y)) f){x)) \/x.Vp{x) f^{x)]^ 

GA (Va; G nat.(Vy G nat.ip^ {x,y) — >■ 4’^{y)) — >■ 'ip^{x)) 

— >• Vcc G nat.Acc(nat, t^N , cc) — )• if^{x) 

GA Closed(nat,t^N,^^) — >■ Va;.Acc(nat, x) — >■ tp^{x). 

The last line is an instance of (Acc.2), and we have finished the embedding of 

5 Modelling NEM in IDi 

In this section, we embed NEM in the theory IDi of non-iterated inductive defini- 
tions. This extension of Peano arithmetic postulates the existence of least fixed 
points for positive arithmetical operator forms. These are formulae <p{R, x) in 
the language C\ with one additional relation symbol R that has only positive 
occurrences in ip. The language of IDi is £i extended by new predicate symbols 
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V^p for each positive operator form (p{R,x). As axioms, we choose those of PA, 
including formulae induction extended to the new language and the following 
two principles for each new predicate symbol and arbitrary formulae ijj: 



Here ip{ijj/R,x) denotes the result of substituting any occurrence of R(t) in ip 
by tp{t /x). 

In |h'ef75| . Feferman presented an inductive model construction for explicit 
mathematics. Beeson showed in |Bee85| that for the system EETJ + (£em-In) 
this construction can be carried out in the theory IDi, cf. also ^la,rH4IMSH8| . 
This theory stating only the existence of (not necessarily least) fixed points of 
positive arithmetical operator forms can be obtained from IDi by replacing the 
axioms (IDi.l) and (IDi.2) by 



In fact, we can use Beeson’s formalization for the analysis of NEM using, in 
addition, the induction principle of IDi to verify name induction (/Iem-Isr)- The 
only differences are the adaption to the finite axiomatization of elementary com- 
prehension and the (trivial) verification of uniqueness of generators (£em-UG) 
which was not part of the original formulation of EETJ. 

We start with a standard interpretation •* of the applicative structure us- 
ing the relation App{x,y,z) := {xKj/) ~ j/ in the sense of ordinary recursion, 
cf. |FjM| . Here, the constants of £em are interpreted by numerals of £i coding 
appropriate number-theoretic functions satisfying the axioms of EETJ. With re- 
spect to the generators we have to choose numerals according to the following 
codes which will be used for the interpretation of the type structure: 

— (1) codes the type of numerals, 

— (2) codes the type of pairs with identical elements, 

— (3, o) codes the complement of the type coded by a, 

— (4, a, b) codes the intersection of the two types coded by a and b, 

— (5, a) codes the domain of a function given as a type of ordered pairs coded 
by a 

— (6, /, a) codes the inverse images of /, i.e. the type of all individuals x with 
fx is an element of the type coded by a, 

— (7, a, f) codes the join of / over the type coded by a. 

By choosing the codes for the generators according to these conditions, the 
axioms about uniqueness of generators are obviously satisfied. 

To interpret the second order part of NEM we define three relations Typ, In 
and In, using appropriate operator forms. The meaning of these predicates and 
their relation to £em is as follows. Let s, t be terms of IDi interpreting types S, T 
of £em, respectively, and let r be the interpretation of an arbitrary £em term, 
then we have: 



(IDi.l) 

(IDi.2) 



yx.ip{Pp,,x) Pip{x) 

{Vx.(p{'ip/R,x) — >■ 'ix.Vp>{x) — >■ ipix) 



(IDi) 



'ix.ip(Vp,,x) o V^{x). 
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— Typ(t) represents that t is a code of a type. 

— In(r, <) interprets the formula r gT. 

— In(r, t) holds for -<r G T. 

— We have to introduce the relation In in order to guarantee that the defining 
operator forms are positive. As a consequence, we have to prove that ln(r, <) 
is equivalent to ->ln(r, t). 

— T = S' is interpreted by Typ(t) A Typ(s) A Va;.ln(a:,t) O ln(x, s), i.e. as 
extensional equality. 

— S) is also modelled by Typ(t) A Typ(s) A Va;.ln(a;, t) G> ln(a:, s). 

In order to define Typ(x), ln(x,y) and ln(x, y) we need some coding. Let us 
use ip^{x,y) and ip'^{x,y) as abbreviations for <p((0,x)), (x,y))) and 

(x,y))), respectively. With this notation we can define Typ(x), ln(x,y) and 
ln(x,y) as the “projections” P^{x), P^{x,y) and 'P^{x,y) of the fixed point 
V(p of the positive operator form: 

ip{ip,z) := {3y.z = (0,y) A CTyp(V',J/)) V 

(3x, y.z = (1, {x, y)) A C|n(V', x, y)) V 
(3x, y.z = (2, (x, y)) A x, y)) 

with the following closure conditions (where it is helpful to keep in mind the in- 
tended meanings of and namely Typ, In and In, respectively). CTyp('0, z) 

is the disjunction of the following clauses: 

— = ( 1 ), 

- ^=(2), 

— 3x.z = (3,x) A 4’^{x), 

— 3x, y.z = (4, X, y) A '0°(x) A ip'^{x), 

— 3x.z = (5,x) A 

— f a 'ih^ ( 

— 3f, x.z = {7, X, /) A ij°{x)A Vy.^^^iy, x) ^ ^°({/}(y)). 

Cin(V’) u, z) is the disjunction of the following clauses: 

— ^=(0), 

- z = (1) A 3y.u = (y,y), 

— 3x.z = (2,x) A 4’^{x) A ip'^{u,x), 

— 3x, y.z = (4, X, y) A '0°(x) A ^°(x) A x) A y), 

— 3x.z = (5,x) A ijj°{x) A 3v .4^^ {{u, v) , x) , 

- 3f, x.z = (6, /, x) A '0°(x) A ip^{{f}{u),x), 

- 3/, x.z = (7, X, /) A 4j°{x) a (Vy.-.^2(y, x) V’°({/}(y))) A 

3u, w.u = (u, w) A x) A {f}{v)). 

The defining clauses for are analogous, also containing positive occurrences 
of ip only. 

Without the leastness property for the fixed point defined by ip we cannot 
prove that In and In are complementary. Hence, for embedding EETJ + (£ewi-In) 
in IDi one has to make use of Aczel’s trick of sorting out all codes a for types 
where ln(-,a) is not the complement of ln(-,o). However, in IDi the leastness 
condition allows for a direct proof that In and In are complements, cf. les. 
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Lemma 3. IDi h Typ(y) — >■ Va;.ln(x, y) -O- -■ln(x, y). 

Theorem 3. NEM can be embedded in IDi. 

Proof. The interpretation •* is chosen according to the remarks above. The ver- 
ification of the axioms of EETJ and the induction schema (£em-In) is straight- 
forward, cf. |Hee85j and jIVI a,rit4j . It only remains to check the principle of name 
induction, 

(/^em-Isr) (Vx.C(x, x) x(x)) -t Vx.K(x) x(^)- 

This can be derived from the leastness principle for P(p 

(Vz.cp(ip,z) —)■ ip(z)) — >■ Vz.P(p(z) —)■ if(z) 

by choosing a formula ip{z) so that 

^/>((0,x)) O x*(x), 

^ ln(x, 2 /), 

V’((2,(x,i/))) O ln(x,y), 

if{z) 0 0 = 0 for every other argument z. 

Starting from the premise [Vx.C(x,x) — >■ x(^)]* obtain {\/z.ip(ip, z) — >■ '(/’(z)): 
assume ip(ip,z) holds with z = (0,x) for some x. Then we get CTyp{4’,x) which 
implies [C(x,x)]*. So x*{^) follows by our premise and ijj{{0,x)) holds by the 
definition of if. If (p{ifj,z) holds and there is no x with z = (0,x), then if{z) 
is trivially fulfilled. Hence we conclude by the leastness condition for Vip that 
'iz.V(.p{z) — >■ ip{z) holds. Let z be (0,x), then we have V(p{{0,x)) — >■ i/>((0,x)) 
which reads as Typ(x) — >■ x*{^)- Because 3?(x) is interpreted as Typ(x) we are 
finished. 

This theorem, together with Theorem 0 and the well-known proof-theoretic 
equivalence of and IDi, yields the final result: 

Theorem 4. The theory NEM of explicit mathematics with name induction 
is proof-theoretically equivalent to IDi, and its proof-theoretic ordinal is the 
Bachmann- Howard ordinal. 
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Abstract. Explicit modal logic was introduced by S. Artemov. Whereas 
the traditional modal logic uses atoms DE with a possible semantics 
“E is provable”, the explicit modal logic deals with atoms of form t-.F, 
where t is a proof polynomial denoting a specific proof of a formula E. 
Artemov found the explicit modal logic CV in this new format and built 
an algorithm that recovers explicit proof polynomials corresponding to 
modalities in every derivation in K. Godel’s modal provability calcu- 
lus iS4. In this paper we study the complexity of CP as well as the 
complexity of explicit counterparts of the modal logics fC, T>, T, /C4, E4 
found by V. Brezhnev. The main result: the satisfiability problem for 
each of these explicit modal logics belongs to the class Ef of the polyno- 
mial hierarchy. Similar problem for the original modal logics is known to 
be PSPACE-complete. Therefore, explicit modal logics have much better 
upper complexity bounds than the original modal logics. 



1 Introduction and Main Definitions 

The idea to describe provability by means of modal logic was formulated by 
K. Godel in He axiomatized the general properties of provability in the 
modal language and obtained the modal logic coinciding with 54. However the 
problem of finding the exact provability semantics for 54 remained open. 

The explicit logic of proofs CV formulated in terms of the predicate “t is 
a proof of A” was introduced by S. Artemov in 0. It incorporates proofs into 
propositional language by means of proof polynomials constructed with the help 
of elementary computable operations corresponding to modus ponens, proof- 
checking and non-deterministical choice. CV is supplied with the appropriate 
arithmetical semantics and is proved to be complete with respect to this se- 
mantics (cf. 0). CV is proved to be an explicit counterpart of logic of informal 
provability 54. Namely, CV is sufficient to realize the whole 54 by assigning 
explicit proof polynomials to the occurrences of □ in 54-derivation (cf. 0). So 
Logic of Proofs CV provides 54 with the intended provability reading. 

Explicit analogues of modal logics weaker than 54 (in particular of /C, V, T, 
/C4, T>A) were introduced by V. Brezhnev in 0. He suggested axiomatization for 
them and proved that they suffice to realize the corresponding modal logics (in 
the same way as CV realizes 54). 
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Decidability of CV was proved by A. Mkrtychev in 0. In this paper we adapt 
this algorithm to the explicit logics introduced in 0 and evaluate its complexity. 
It turned out that the derivability problem for all of these logics belongs to the 
class II 2 in the polynomial hierarchy while all the corresponding modal logics 
are known to be PSPACE-complete. 

In this section we will formulate the language of explicit modal logics (or the 
language of CV) and give axiomatics for them. In Section 0 we will describe the 
semantics for the explicit logics and prove their completeness with respect to it. 
This semantics for CV was suggested by Mkrtychev in |7|. We adapt it for all 
the other explicit logics. Finally, in Section0we describe the decision algorithm 
and evaluate its complexity. 

Let us describe the modal logics we deal with. First, we give the full list of 
modal axioms: 

AO Axioms of classical propositional logic 

in the monomodal language 

AN n(F — >■ G) — >■ (DF DG) normality 

AD DT _L seriality 

AT DF — >■ F reflexivity 

A4 DF — DDF transitivity 

The minimal logic K. contains axioms AO and AN and the rules of inference 

F 

modus ponens and necessitation All the other logics are extensions of K. 

Llr 



with the additional axioms: V — 1C + AD, T = /C + AT, /C4 = /C + A4, 
T>4 = V + A4 and 54 = T + A4. 

Now we turn to the description of the explicit modal logics (cf. 0, 0). They 
are formulated in the language of CV that contains proof variables Xi, proof 
constants and operations on proofs (binary •, + and monadic !); sentence let- 
ters boolean connectives, boolean constant T, and the binary proof operator 
(polynomial) '.(formula). Proofs are represented by polynomials generated from 
proof variables and constants by means of operations on proofs. Formulae are 
constructed from the sentence letters and boolean constants in the usual way 
with the additional rule: if F is a formula and t is a polynomial then t : F is 
a formula. Let SVar stand for the set of all sentence letters, Pn for the set of 
polynomials and Fm for the set of formulae. 

Now we are going to define the following explicit logics: 



CV(IC), CV(V ) , CV(T ) , £F(/C4) , CV(VA ) , CV(SA) . (1) 



In what follows by explicit logic we mean any of these six logics. As before, first 
we give the list of explicit axioms (cf. 0 , 0 ) 

AO Axioms of classical propositional logic in the language of CV 
Alt'.(F ^G)^(s'.F ^(t'.s)'.G) 

A2 ti : F — y (t\ ^ 2 ) : F, i = 1, 2 
A3 t : T -)> T 
A4t: F ^ It: (t: F) 

A5 t : F -)> F 
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There are two explicit versions of the modal necessitation rule for an explicit 
logic L 

ONcc 1 ‘ 

ra:(r-'a:...(!a:(a:A))...)’ 

ONec 

a: A 

where a is a proof constant, A is an axiom of L. 

All the explicit logics contain axioms AO, Al, A2 and the rule modus ponens. 
To obtain the axiom system for them one has to add ONec for CP{IC); A3 
and ONec for CV{V)-, A5 and ONec for CV{T)] A4 and ONec for £P(/C4); 
A4, A3 and ONec for CP{'D4)\ A4, A5 and ONec for CP{S4). 

It may be easily observed that all explicit axioms except for A2 can be ob- 
tained by replacing □ in a corresponding modal axiom for a certain proof poly- 
nomial. So we use names of modal axioms referring to their explicit analogues. 
For example, we call CP{1C4), CP{VA) and CV{SA) transitive explicit logics 
since they contain the explicit axiom A4 corresponding to the modal axiom of 
transitivity A4. 

By an explicit realization r of a modal formula F we mean an assignment 
of proof polynomials to all occurrences of modality in F, the image of F under 
such a realization is denoted by F^ . Now we formulate the main result about 
the connection between modal logics and their explicit analogues. 

Theorem 1 (Artemov). 54 h F iff CP h F'' for some realization r (cf. ^). 

Theorem 2 (Brezhnev). Let L be one of modal logics 1C, T>, T, /C4, T>4. Then 
L\- F iff CP {L) h F’’ for some realization r (cf. 

2 Semantics for Explicit Logics 
and Completeness Theorem 

In this section we describe semantics for the logics (P). This semantics for the 
logic CP{S4) = CP was introduced by Mkrtychev in j?|. He also proved com- 
pleteness of CP with respect to this semantics. In this section his results are 
generalized to all explicit logics. 

Definition 1. A function * : Pn — >■ 2^^ that assigns to every proof polynomial 
a set of CP -formulae is called a proof-theorem assignment if it satisfies the 
following two conditions: 

1. if {F ^ G) G *{t) and F G *(s) then G G *{t ■ s); 

2. *{t) U *(s) C -I- s). 

A proof-theorem assignment is called transitive if it satisfies in addition a transi- 
tivity condition: if F G *(t) then (t : F) G *(!t). A proof-theorem assignment is 
serial if L ^ *(t) for every proof polynomial t. 
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Remark 1. We do not require the sets *{t) to be finite. 



Definition 2. A model Ai is a triple (v,*, |=), where v is a truth-assignment, 

i. e. a mapping v : SVar ^ {True, False}, * is a proof-theorem assignment and 
\= is a truth relation. The latter is defined in the following way. 

1. For sentence letters ^5” v{S) = True and Y= _L; 

2. '^F ^ '^F or '^G; 

3. \=f.F ^ F G *{t). 

Remark 2. In what follows we omit the cases concerning boolean connectives 
other than implication. These missing cases can be easily restored using expres- 
sions for the connectives in terms of implication and _L. 



Definition 3. A model M = (u, *, |=) is called reflexive if F G *(t) implies 
Ai\= F for any polynomial t and any formula F. 

Evidently, there is a precise correspondence between conditions imposed on 
a proof-theorem assignment and the explicit axioms Al, A2. Transitive as- 
signment satisfies axiom A4 which corresponds to the transitivity modal axiom. 
Similarly, axiom A3 corresponding to seriality modal axiom is true for any serial 
assignment. Finally, in a reflexive model axiom A5 expressing weak reflexivity 
also holds. 

Let us call any set of formulae introduced by the necessitation rule a Constant 
Specification (GS) for the logic L. Namely, for the logics CV{1C), CV{V), CV{T) 
GS is any set of formulae of the form !" a:. . .:(! a:(a: A)) . . .), where a is a 

proof constant, A is an axiom of the corresponding logic. For £P(/C4), CP{'D4), 
CV{SA) formulae should be of the form a : A, where a is a proof constant, A is 
an axiom of the corresponding logic. 

For any explicit logic L let CSi, denote a maximal constant specification, 
namely 

GSl = {!” a : . . . : (! a : (a : A)) | a is a proof constant, A is an axiom of L} 
if L G [CV{1C),CV{V),CV{T)}, or 

GSl = {a : a I a is an axiom constant, A is an axiom of L} 
if L G {CP{1CA),CV{VA),CP{SA)}. 

Remark 3. The specification GSl depends on the axiomatization chosen for 
propositional logic in AO. 



Definition 4. Let GS he a constant specification. A model M. is called a 
CS'-model if M^GS. 
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Table 1. Additional conditions on L-models 



Explicit logic 


Proof-theorem assignment 


Model 


CP{IC) 






CV{V) 


serial 




CV{T) 




reflexive 


CV{A4) 


transitive 




CP {Vi) 


serial transitive 




CP (Si) 


transitive 


reflexive 



Definition 5. Let L be one of the logies (0. L-model is any C S L-model satis- 
fying additional conditions given in Table 0 

The following theorem states the completeness of explicit modal logics with 
respect to the semantics described above. 

Theorem 3 (completeness). Let L be an explicit logic. Then 

L\- F F is true in all L-models. 

The proof of Theorem 0 is standard, so we just give the main ideas in brief. 

Definition 6. Let L be one of the logics m- 

The set T C Fm is called L-consistent if L\/ ~'{Ai A ... A A„) for any finite 
subset {Ai, . . . , An} C F. F is called maximal L-consistent if in addition either 
F € F or ->F G F holds for any LV -formula F. 

The following lemma is standard. 

Lemma 1. 

1. Let F be an L-consistent set. Then there exists a maximal L-consistent set F' 
such that F F F' . 

2. Any maximal L-consistent set contains L and is closed under the inference 
rules of L. 

Lemma 2. Suppose F is a maximal L-consistent set. Then there exists an 
L-model A4 such that M.\^ F . 

Proof. In order to construct the desired model let us define the proof-theorem 
assignment *{t) = {L G Fm \ t : F G F} for any polynomial t. It can be 
easily observed that * is a proof-theorem assignment. Moreover, * is serial 
for L G {CV{V),CV{V4)} and transitive for L G {£L>(/C4), £L>(L>4), £L>(54)}. 
For every sentence letter S let us put v{S) = True iff 5” G iF. 

Let us consider the model M = (v,*,\=). By induction on complexity of the 
formula F it can be easily shown that M. \= F F G F . At the same time, 
{t ■. F ^ F) G L CL F tor the reflexive logics CV{T), CV{SA), that provides 
reflexivity of the model Ai for them. So Ai is an L-model. □ 
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Proof ( of Theorem W- If L \- F then obviously Ai \= F for any L- model A4. 
Suppose L \/ F. In such a case the set {“'-F'} is L-consistent and we can extend 
it to some maximal L-consistent set T . By Lemma El there exists an L-model M. 
such that M'f F,in particular M ~^F. □ 

While dealing with reflexive logics CV{T) and CV{SF) one have to prove 
reflexivity of a given model. The following notion allows avoiding this difficulty. 

Definition 7. A pre-model V is a triple {v,*, |=p), where v is a truth-assign- 
ment, * is a proof-theorem assignment and the definition of a truth relation \=p 
is similar to |= (see Definition]^ except for the case 

\=p t : F F G *(t) and \=p F. 



Definition 8. A model A4 = {v, *, and a pre-model V = (v' , , |=p) are 

called equivalent if the truth relations ^ and |=p coincide. 

The following lemma describes correlation between the notions of a model 
and a pre-model. 

Lemma 3. For any reflexive model M = (v, *, there exists a pre-model 

V = {v' , |=p) equivalent to it. Conversely, for any pre-model V = (v', ^p) 

there exists a reflexive model Ai = (u,*,|=) equivalent to it. Moreover, if ini- 
tial model (pre-model) is transitive then the resulting pre-model (model) is also 
transitive. 

Proof. Suppose AA = {v, *, |=) is a reflexive model. Then the pre-model 

V = {v, *, |=p) is equivalent to Ai, i. e. V \=p F ^ A4 \= F. Reason by induction 
on the complexity of F. The case of sentence letters and boolean connectives is 
trivial. Let F = t : G. If V ^p t : G then G G *(t) and Ai \= t \ G. Conversely, 
if \= t ■. G then G G *(t). The model Ai is reflexive, so Ai \= G. By the 
induction hypothesis V [=p G. Thus, we obtain V \=pt: G. 

Conversely, being given a pre-model V = (u',*',^p) we define F G *{t) 
iff L G *'{t) and V \=p F for every polynomial t and every formula F. It is 
easy to see that + is a proof-theorem assignment. Now we can define the model 
Ai = (u',*,^) and prove that it is equivalent to the initial pre- model V. As 
before we consider only formulae of the form t : G. 

AA \= t : G G G *{t) o G G *'{t) and P |=p G V \=p t : G. 

Reflexivity of AA immediately follows from reflexivity of V. The only thing we 
have to show is that * is transitive in case of transitive . Suppose F G *{t). It 
means that F G *'{t) and V \=p F. Then (t:F) G *^(! t) since is transitive and 
obviously V \=p t : F. So {t : F) G *{lt). □ 

Notion of a CS'-pre-model is defined similarly to that of a CS'-model (see De- 
finition mi. 
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Definition 9. A pre-model V is ealled 

— an £P(T)-pre-model if it is a C S cv(T)~P^^~'<^odel; 

— an £P(iS4)-pre-model if it is a C S^^-p^s^ypre-model with a transitive proof- 
theorem assignment. 

By Theorem 0 and Lemma 0 we have 

Theorem 4. Let L S {C'P{T),C'P{S4:)}, then 

LV- F F is true in all L-pre-models. 

3 The Decision Algorithm 

In this section we describe the decision algorithm for non-derivability problem in 
explicit modal logics (this problem is dual to derivability problem) and evaluate 
its complexity. The decision procedure is based on Theorem El (or on Theorem El 
for reflexive logics CV{T), CV{S4)). Given a formula F in order to establish 
that L\/ F one can construct an L-model A4 such that A4 ^ f if L is one of the 
logics CV{K.), CViV), CP{K,A), CP{VA) (or an L-pre-model V such that V '^p F 
for L G {C'P{T), CV{S4:)}). The algorithm consists of two parts. 

1. The saturation algorithm produces a set of requirements which should be 
imposed on a counter-model for the formula F. 

2. The completion algorithm constructs a counter-model satisfying these re- 
quirements if such a model exists. 

Along with formulae we also consider expressions of the form A G *{t). We 
call these expressions ^-requirements. Formulae and ^-requirements are called 
metaformulae. A sequent is a pair F ^ A, where T and A are finite sets of 
metaformulae . 

Definition 10. A sequent F ^ A is true in a model (pre-model) if at least one 
metaformula from F is false or at least one metaformula from A is true in it. 



Definition 11. A sequent F ^ A is saturated if 

1. {A ^ B) G F implies A G A or B G F 

2. {A^ B) G A implies A G F and B G A 

3. {t : A) G F implies {A G *{t)) G F 

4-. {t : A) G A implies (A G *{t)) G A 

A sequent F ^ A is reflexively saturated if in the previous list we replace the 
conditions 3 and 4 by their reflexive analogues. 

3'. {t : A) G F implies A G F and {A G *{t)) G F 

4'. (t : A) G A implies A G A or {A G *{t)) G A 
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3.1 The Saturation Algorithm 

In this subsection we describe saturation algorithm and evaluate its complexity. 
We describe the algorithm in details for the case of £P(54) = LV and then 
point out the amendments that should be done to adapt the algorithm for other 
logics. 

Algorithm starts being given a sequent F ^ A. Every formula in it can 
be discharged (unavailable) or undischarged (available for processing). Initially 
all formulae are undischarged. Non-deterministically choose some undischarged 
formula G from F \J A and non-deterministically try to perform one of the 
following instructions. 

1. li G = {A ^ B) & F then put A into A or B into F 

2. If G = {A ^ B) G A then put A into F and B into A 

3. li G = {t : A) G F then put A and {A G *(t)) into F 

4. If G = (t : A) G A then put A or (A G *(t)) into A 

After a step is performed discharge G (make it unavailable). Discharge G even 
if it is a sentence letter or _L and none of the clauses above could be applied. 
Terminate if all formulae from F \J A are discharged. Produce the obtained 
sequent as a result. 

Lemma 4. The saturation algorithm satisfies the following properties. 

F It terminates. 

2. It produces a reflexively saturated sequent. 

3. For every pre-model the initial sequent is false in it whenever the resulting 
one is false. 

4 . For every pre-model if the initial sequent is false in it then one of the possible 
computations produces a sequent, which is also false in it. 

Proof. 1. Let us define the depth of a formula by induction d{Si) = d{-L) = 1, 
d{A -G B) = d{A) -\- d{B) -\- 1, d{t : A) = d{A) -\- 1. Obviously, each step of 
the algorithm decreases the sum of the depths of all available formulae in 
the sequent. Therefore, the algorithm terminates. 

2. Each step of the algorithm performs saturation for the chosen formula. Since 
all formulae in the resulting sequent are discharged this sequent is reflexively 
saturated. 

3. It is easy to see from the definition of the saturation algorithm that if we 
reverse the algorithm step by step the falseness of the sequent preserves. So 
from the assumption that the resulting sequent is false we derive that the 
initial one is necessarily false. 

4. Suppose the initial sequent is false in a given pre-model. All metaformulae 
are true or false in it. We start the algorithm. At every step we can put the 
metaformula to F if it is true and to A if it is false. 

□ 
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Corollary 1. Given a formula F put := 0, A := {F}. Perform the saturation 
algorithm for the sequent F ^ A. If the saturation algorithm produces a sequent 
which is false in some CP {S A) -pre-model then F ^ CV{S4). Otherwise, if every 
possible computation leads to an CP{S4) -valid sequent, i.e. a sequent true in all 
CP {S A) -pre-models, then F S CP{SA). 

Lemma 5. The saturation algorithm is an NP-algorithm ( in the polynomial 
hierarchy), i. e. it is a non- deterministic algorithm that works polynomial time. 

Proof. The length of all branches of the computational tree is limited by the 
number of subformulae of the initial sequent. The number of variants of pro- 
cessing on every step of the algorithm is twice as large because some formulae 
can be processed in two different ways. We only need to find the branch of the 
computational tree that will produce a sequent that is not £7^(54)-valid. So the 
computational tree is a NP-tree. □ 

Now let us mention a useful property of the saturation algorithm. 

Lemma 6. If performing instructions of the saturation algorithm one would 
erase the discharged formula then Lemma\^ and Lemma^remain true. 

In what follows, we will use this second variant of the saturation algorithm. 

Remark 4 . Now we describe how to adapt the saturation algorithm for non-ref- 
lexive logics CP{K.), CPiV), CP{K.A) and CPiVA). Since we need to construct a 
model (not a reflexive pre-model as before) we do not need a reflexively saturated 
sequent and the instructions for processing t : A should be read as follows: 

3'. If G = (t : A) £ T then put {A £ *{t)) into F 
A. If G = (t : A) € A then put {A £ *{t)) into A 

This saturation algorithm has the same properties except for one. It produces a 
saturated sequent (not a reflexively saturated one) . 

3.2 The Completion Algorithm 

As before, first we discuss the completion algorithm for CP{SA) and then adapt 
it for other explicit logics. The completion algorithm deals with the sequent 
F ^ A containing atomic formulae and ^-requirements. It terminates with suc- 
cess if there exists an £P(54)-pre-model in which F ^ A is false. Otherwise, it 
terminates with failure. Let us clarify when such a pre-model exists and how it 
should be constructed. 

Of course, if F C\ A ^ 0orT £ F then the counter-model in question 
cannot exist. Indeed, T is always false and no formula can be true and false 
simultaneously. 

Suppose all of the assumptions above are wrong. Then we can define a truth- 
assignment V as follows 



v{Si) = True Si G F. 



(2) 
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Then sentence letters from F are true and the letters from A are false. Thus, in 
order to construct a counter-model it is sufficient to satisfy the ^-requirements 
including transitivity of it. Besides, the counter-model in question should be a 
CS'£-p( 54 )-pre-model which can also be expressed in terms of ^-requirements. 
Let denotes the set 

^^*cv{S 4 ) — S *(®) I a is a proof constant, A is an axiom of CV{S4)}. 

Therefore, in order to construct the counter- model for T A it is sufficient 
to produce a transitive proof-theorem assignment * such that all *-requirements 
from r and are true and all ^-requirements from A are false for *. 

Definition 12. Let <L> he an arbitrary set of * -requirements. A proof-theorem 
assignment * is based on if all requirements from are true for *. 



Lemma 7. For any set <P there exists a minimal transitive proof-theorem assign- 
ment * based on it, i. e. * is based on <L> and for every transitive proof-theorem 
assignment *' based on F we have *{t) C *'(t) for all polynomials t. 



Proof. In order to construct such an assignment we should only close <L> under 
the following rules. 

G e *{t) 



R1 

R2 

R3 



t:GG*{\t) 

{A^ G) e *{t) A e *(s) 
G G *{t- s) 

G G *{u) 



i = 1,2 



G G *(ti -l- tf) 

Let F' and A' denote sets of ^-requirements from F and A respectively. 



Lemma 8. Let F ^ A be a sequent eontaining only atomie formulae and 
* -requirements. Lt is refutable, i.e. there is an LV{S A) -pre-model that refutes 
it, iff the following eonditions are satisfied. 

1. Fr\A = th 

2. F^F 

3. All * -requirements from A' are false for the minimal transitive proof-theorem 
assignment *rn based on F' U C<S'2-p(54) 

Proof. We consider the minimal transitive proof-theorem assignment *rn based 
on T' U CiS'2p( 54). If this assignment refutes all ^-requirements from A' then the 
pre-model V = {v, *m, Hp) ( 0 ) refutes F ^ A. Otherwise, if satisfies one 
of the *-requirement from A' then it is true for any other transitive assignment 
based on F' U GS*^.pf^g,^y So the desired counter-model does not exist. 

In order to deal with axiom schemes we add to the language of CV formula 
variables Ti, . . . , T„, ... and polynomial variables ri, . . . , r„, . . . .It makes 
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possible writing one formula in the extended language instead of an infinite set 
of formulae in the language of CP. Suppose we need to find an intersection of 
the schemes A and B, i. e. the set of £P-formulae whose structure satisfies the 
scheme A together with the scheme B. An obvious way of solving this problem 
is to find the most general unifier (mgu) of A and B. This unification means 
that we substitute polynomial variables by some polynomials in the extended 
language and formula variables by some formulae in the extended language. 

In what follows, by a formula we mean a formula in the extended language. 
Now let us describe the completion algorithm. 

Suppose that 

r' = {Al G . . . , An G 

A' = {Bi G . • . ,Bjn G *(sj,„)}. 

Some of ti^, and Sj, can coincide. 

Preliminary operations. Terminate with failure if T fl Z\ yf 0 or T G T. 
Otherwise, non-deterministically choose one of Sj, , I = 1 , 2 , ... ,m, and per- 
form the following actions with it. 

Initialization. Non-deterministically choose several non-intersecting occur- 
rences of ti^, k = l, 2 ,...,n, as subpolynomials of sy,. Let us call the chosen 
occurrences pseudo-elementary polynomials. Polynomial Sy, is considered to be 
built from pseudo-elementary polynomials, proof variables and constants. To ev- 
ery chosen occurrence of non-deterministically assign one of the formulae A 
such that {A G *{tii^)) G P'. Non-deterministically assign to every occurrence 
of axiom constants (except those in pseudo-elementary polynomials) one of ax- 
iom schemes written as one formula in the extended language. Choose different 
formula and polynomial variables for different occurrences of axiom constants. 

Assign to every occurrence of -I- (except those in pseudo-elementary poly- 
nomials) one of two symbols ‘ 1 ’ or ‘r’. Assign null to the occurrences of proof 
variables that are not assigned yet. So assigning null to a subpolynomial actually 
means that nothing is assigned to this subpolynomial. Initialization is complete. 

Assigning. Assign formulae to subpolynomials of Sy, according to the fol- 
lowing rules. Suppose formulae Ci and C2 are assigned to occurrences of sub- 
polynomials qi and 52 respectively. One of C\ and C2 or both of them may be 
null. 

1 . Assign the formula Ci to qi + <72 if ‘ 1 ’ was assigned to this occurrence of -I-. 
Otherwise, assign C2. 

2 . Assign the formula q\ : Ci to ! q\ if Ci is not null. Otherwise, assign null. 

3 . Assign null to q\ ■ q2 if Ci is neither a formula variable nor a formula of the 
form D ^ E, or if C2 is null. Otherwise, if the main connective in Ci is im- 
plication then unify D and C2 . If the formulae are unifiable find their mgu a 
and assign Ea to q\ ■ q2. If unification is impossible assign null. Finally, if Ci 
is a formula variable T then assign some new formula variable T' to <71 • (72- 

Checking. Finally, some formula is assigned to the polynomial Sj^. Unify it 
with the formula Bi. Terminate with failure if these formulae are unifiable. Oth- 
erwise, if unification is impossible or null is assigned to Sj, perform another 
initialization and proceed as before. 
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If none of the initializational variants terminates with failure then choose 
another polynomial Sj, and perform initializations for it. Terminate with success 
if processing none of the polynomials Sj, , I = 1, . . . ,m, terminates with failure. 

Lemma 9. Suppose a sequent F ^ A consists of atomic formulae and 
* -requirements. The completion algorithm terminates with success on this se- 
quent iff the sequent F ^ A is not CV{S4) -valid. 

Now let us evaluate the complexity of the completion algorithm. In the pro- 
cess of its execution we need to perform multiple unifications. The length of the 
unified formulae may increase exponentially. 

Example F Suppose F' contains the following ^-requirements. 



(Ti — )> (T2 {Tm — t Ti A Ti A ... ATi ) . . .)) S *(ci), 

M 

( T2 A T2 A . . . A T2 ) G *(02), 

M 

( Tm a Tm ^ ^ ) S *(cm)- 

M 

Then we should assign 



(T2 — ^ . . . — >■ {Tm — t T2 A T2 A ... A T2 A ... A T2 A T2 A ... A T2 ) . . •) 

^ -V- ^ 

M M 

M 

to Cl • C 2 . All the initial requirements have the length 0{M) while this one 
is 0{M^). Evidently, each step increases the length by M times. So the length 
of formula assigned to ci • C 2 cm is 0{M^). 

In order to reduce complexity of the completion algorithm we can store for- 
mulae as direct acyclic graphs (dags). Then one can use the Robinson graph 
algorithm (for details cf. 0) for unification of formulae that is polynomial of the 
sum of sizes of the dags. Using this algorithm for unification in the completion 
algorithm we obtain the following result. 

Lemma 10. The problem of realizing whether a given sequent containing only 
atomic formulae and * -requirements is refutable is a co-NP problem (FIf in the 
polynomial hierarchy). 

Proof. It follows from complexity evaluation of completion algorithm since this 
algorithm solves the problem in question. □ 



Remark 5. For serial logics C'P{T>), CP{'D4) we need to check another trivial 
condition before we start constructing (T G *{t)) ^ F for all polynomials t. 
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In case this condition is not satisfied terminate with failure. For non-transitive 
logics CP{IC), CV(V), CV{T) the set C'S'2 is defined as follows: 

CS’l = {(!"~^ a: . . .:a: A) G *(!" a) | a is a proof constant, A is an axiom of L}. 

So instead of assigning axioms to occurrences of axiom constants during ini- 
tialization we should non-deterministically assign formulae a : . . . : a : A to 
occurrences of polynomials !” a. Also we should not use the rule R1 for these 
logics. 

Let us describe the decision algorithm for CV. Given a formula F 

1. Start the saturation algorithm on the sequent F. It produces as a result 
the sequent F ^ A. 

2. Start the completion algorithm on the sequent F ^ A. 

3. Terminate with success if the completion algorithm terminates with success. 
Terminate with failure otherwise. 

We summarize Corollary Q and Lemma 0 in a theorem 

Theorem 5. Suppose L is an explicit logic. Given a formula F the decision 
algorithm terminates with success iff F ^ L. 

By Lemma 0 and Lemma cni we have 

Theorem 6. The problem of L- satisfiability is Sff. Consequently, the problem 
of derivability in L is TTf . 

Remark 6. Since all the logics under consideration are conservative extensions 
of the classical propositional logic the problem of L-satisfiability is NP-hard 
(iff -hard). 

Corollary 2. The problem of L-satisfiability belongs to Sff C\ S^-hard. 
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Abstract. A finite model property for fully complete denotational mod- 
els of propositional logics is investigated using fully complete translations 
to compare programming languages and logics. The main result is that 
there can be no finite and fully complete models of linear or affine propo- 
sitional logics. This is shown to be a consequence of Loader’s result that 
contextual equivalence for finitary PCF is not decidable by giving a fully 
complete translation from finitary PCF into a yl(i7)“6cia-calculus for a 
dual affine/non-linear logic. It is shown that the non-linear part of this 
logic does have a finite and fully complete model, and a conservative ex- 
tension of the above translation is given from hnitary PCF with control 
(/rPCF ) into the non-linear fragment which shows that the fully abstract 
model of /rPCF is effectively presentable. 

Keywords: linear logic, affine logic, full completeness, PCF, effective 
presentability. 



1 Introduction 

This paper concerns the possibility of a denotational semantics providing com- 
plete and effective information about proofs and programs. Completeness with 
respect to proofs rather than provability has been introduced as full completeness 

m 

Definition 1. A model of a logic C in (a category) C is fully complete if every 
morphism between objects |A]c and |B]c in C is the denotation of a proof of 
A\- B in C. 

Fully complete models will exist for all sufficiently well-behaved logics — ‘term 
models’ can be constructed from equivalence classes of the proofs themselves. 
But the main interest in the full completeness problem is in finding models which 
are ‘syntax-independent’. As in the case of the full abstraction problem for PCF 
wmm it is not clear what syntax independence should mean. Is it sufficient to 
have a re-presentation of the syntax in a semantic form — or should denotational 
models have some inherently semantic quality? 

A possible criterion is the following ‘finite model property’ for denotational 
models. 
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Definition 2. A (categorical) model of proofs C is Unitary if for each pair of 
formulas, A, B, there are finitely many elements /i, / 2 , • ■ • /n G C(|^], |i?]) and 
an effective procedure for listing them. 

The property of having some fully complete finite model is essentially a stan- 
dard ‘finite model property’ for languages (such as classical propositional logic) 
with a traditional completeness theorem. To capture the finer detail of a denota- 
tional semantics, we shall say that a language possesses the ‘finite denotational 
model property’ only if it has a non-trivial finitary and fully complete models 
C; i.e. there are some formulas such that C(|A]c, |B]c) contains more than on e 
morphism. 

An effectiveness criterion has been incorporated (like the ‘Jung and Stoughton 
condition’ of effective presentability for fully abstract models of PCF cni) - 
not only should the number of elements of the model be finite at each type but 
it should be possible to generate them in a finite time. Taken together, finite- 
ness and full completeness mean having full information about each type-object 
of a model, making problems such as contextual equivalence for the language 
decidable. 

Call a logie finitary, if every proposition has finitely many different proofs 
(modulo cut-elimination and commuting conversions). So intuitionistic logic, for 
instance, is not finitary as there are infinitely many ‘different’ cut-free proofs of 
(P P) (P P) — the Church numerals. ‘Fully and faithfully complete 
models ’(such as several games models PCIEl) which are by definition isomorphic 
to the term model will be finitary if and on ly if the logic is finitary. 

Semantic models of propositional logics based on sets and functionals (possi- 
bly with additional structure) will be finitary provided the atomic propositions 
are represented as finite sets, and the the connectives as operations preserving 
finiteness. This is the case for the standard interpretation of the simply-typed 
A-calculus or the coherence space models of propositional linear logic (Hj . These 
models also tend to contain ‘junk’ — elements which are not the interpretations 
of proofs. Jung and Tiuryn 0 and others have shown that it is possi- 

ble to ‘cut down’ these models by constructing a definability predicate (in an 
apparently syntax independent way) to get a full completeness result. But can 
this be done effectively ? This is precisely the question posed by Streicher in m 
with respect to the coherence space model of linear logic in which the atoms are 
interpreted as finite cliques. 

Is it decidable whether a clique in the coherence space model comes 

from a proof? 

In fact we can answer this question in the negative because there can be no 
(effective) finite models of propositional linear logic which are complete in the 
weaker traditional sense. This has been shown directly by Lafont im but is a 
simple corollary of the well-known result that provability for linear logic is not 
decidable. 

Proposition 1. If a logie has a finite and fully eomplete model, then it is de- 
cidable. 
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Theorem 1 (Lincoln et al. |KqJ)- Propositional linear logic is undecidable. 

Corollary 1. There are no finite and fully complete models of propositional 
linear logic. 

This paper will show that the converse to Proposition ^ is not true, however. 
Undecidability of propositional linear logic relies heavily on the restriction of 
weakening — affine propositional logic (which allows unrestricted weakening 
but retains the restrictions on contraction) is decidable, as shown by Kopylov 
|T?^ . The main result established here is that affine logic cannot, however, have 
any non-trivial finitary and fully complete models. 

The basis for proving this is Loader’s theorem that observational equivalence 
in finitary PCF is not decidable m- This is an important limitative result for de- 
notational semantics, as it shows that there can be no effective presentation of a 
fully abstract model of PCF (and no finitary and fully complete model of finitary 
PCF ). The analogous property of affine logic can be shown by demonstrating a 
tight connection between logic and programming language. Specifically, by giv- 
ing a fully complete translation from finitary PCF into a fragment of linear logic. 
Because this translation is effective, a finitary and fully complete model would 
enable observational equivalence of PCF terms to be decided by comparing their 
translations. But this is not possible, so the re can be no effective, fully complete 
and finitary model of any part of linear logic containing the fragment in question. 
Thus the translation sheds some light on both Loader’s result and decidability 
questions for linear logic. 

Next, it is shown that an infinitary logic with a finitary and fully complete 
model does exist — intuitionistic propositional logic — using Padovani’s effec- 
tive characterization of the minimal model of the A-calculus m- This result is 
used to show that the fully abstract model of finitary /iPCF (PCF with control 
operators) is effectively presentable (by contrast to PCF), by giving a fully com- 
plete cps translation into the simply-typed A-calculus with pairing whic h is a 
conservative extension of the translation from PCF. 

In summary, the paper shows that the finite denotational model property 
is stronger than the simple finite model property, but not so strong that it 
precludes all infinitary logics. It does so by establishing a strong ‘Curry-Howard 
style’ correspondence with related results for simple A-calculus based languages 
which allows effective presentability and definability to be analyzed from both 
perspectives. 

2 A Linear/Non-linear A-Calculus 

The fragment of affine logic for which the translation will be given uses dual affine 
and intuitionistic contexts (and connectives) in a natural deduction presentation. 
(Similar to Benton’s LNL calculus [Z|, Barber’s DILL and Girard’s LU HHO 
Formulas are generated from a single propositional atom b by the connectives 
=>, — o, X (intuitionistic implication, linear implication, and linear additive prod- 
uct). Thus it is expressive — it contains elements of multiplicative (— °), additive 
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(x) and exponential (=i>) affine logic. But it is also simple because the connec- 
tives which make difficulties for determining proof-equalities by giving rise to 
‘commuting conversions — ! and ® — have been avoided. So the term-language 
is familiar — a A-calculus with pairing — and the typing rules are based on a 
simple intuition — the linear implication can be introduced on ly when binding 
variables which occur linearly. 

Definition 3. Define the XL/NL~typss (propositions) by induction over the fol- 
lowing grammar: 

T ::= i\T \ T xT \ T 

Terms-in-context of the associated calculus have the form F\S \- t: T, with a 
single typed formula on the right of the turnstyle, and two ‘zones’ of variables 
to the left. This allows some control over the use of structural rules without 
requiring explicit use of exponentials. The first zone is non-linear (T represents 
a set of variables), allowing contraction to take place there. The second zone 
is affine (A7 represents a multiset of variables) — contraction is not perm itted 
here. 

The term-language is just the simply-typed A-calculus with pairing. A single, 
standard notation for A-abstraction is used, the distinction between the introduc- 
tion rules for the two implication types being which zone the abstracted variable 
comes from. (The affine implication types are implicitly subtypes of non-linear 
implication types.) Similarly, a single (standard) notation for application is used 
for both linear and non-linear implication types. The only difference here be- 
tween the elimination rules for the two versions of the implication is that a term 
of non-linear type can only be applied to terms containing no free linear vari- 
ables, as non-linear application incorporates the ‘promotion’ rule of linear logic. 



_;x:T\~x:T 



Linear Axiom 



r;E,x:SH:T 

r,x:S;EH:T 



Dereliction 



r;EH:T 

r;r,a;:5H:T^®akening 



r,x:S,y:S]EH:T 

xA/l-T Contraction 
1 ,o \ L\/C f Jb f y \. ± 



r]E,x:SH:T F^Ebs-.S F^E'H-.S^T 

r;rhAa;.t:^^T^-^atro r-,E,E'H s:T 



r,x:S]EH:T r;_bs:S r;EH:S^T 

r;rhAx.t:^^T^-^atro 



r;Ebs:S rEH:T r;EH:TixT2 

r-Eb{s,t):SxT ""-^atro r-Eb7T^{t):T, 



Table 1. Term-formation rnles for Xl/nl 
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Definition 4. The equational theory of =iSn'K is given hy the reflexive, 

transitive closure of the following rules: 

{(3) {Xx.t) s =! 3 r^T, t[s/x\ 

( 77 ) Xx.ft x) =f 3 r,TT t, X^ FV{t) 

(tt) rTj^{^(f\,t2)^ /3??7r iii i 

(tt^) (7ri(t),7r2(t)) = t 

This paper will show that there are no finitary and fully complete models of 
Xl/nl- Generalizing this result relies on the existence of fully complete transla- 
tions into more standard logics. 

Definition 5. Let L\,L 2 be logics (or typed languages). 

A translation (f> : C\ — > £2 is fully complete if for every context T and type 
A, and for every derivation tt in £2 of 4>{r) h 4>{A), there is a derivation X of 
r L A in Cl such that ^(A) = tt. 

The existence of a fully complete translation (/> : £1 — ^ £2 means that a fully 
complete model of £2 gives rise to a fully complete model of £ 1 , by taking 
[£ h A : Ai] = [</.(£) h </.(A) : 

Proposition 2. If (intuitionistic) affine logic has the finite (denotational) model 
property then so does A^/tvl- 

Proof. There is a fully complete translation from affine logic. This 

is in effect the well-known ‘Girard translation ’ uni from intuitionistic to linear 
logic, based on the decomposition of the implication A ^ B as lA ^ B. This is 
formally proved in m to be fully complete. The adaptation to the affine case is 
straightforward. 

Kopylov’s result m (afhne logic is decidable) yields the following corollary. 

Corollary 2. For every type T there is an effective procedure for deciding 
whether some t : T exists. 

There are further fully complete translations from affine logic into intuitionistic 
logic, and from intuitionistic into classical logic. Hence the failure of the finite 
denotational model property to hold for Ai/Ariimplies that it does not hold for 
any of these logics, but as this is in any case a consequence of the failure of the 
weaker finite model property, these are left to a future paper. 



3 Finitary PCF and Loader’s Theorem 

PGF is a simply-typed A-calculus with constants. Finitary PGF has a single base 
type of booleans, with two values, tt and ff, a constant for non-termination C2. 
and a conditional If . . . then . . . else .... 
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Definition 6. Finitary PCF -types are given by the grammar: 

T ::= bool \ T 

PCF terms are given over eontexts of typed variables by: 

M ::= I tt : bool | ff : bool \ x \ T 
(If M : bool then M : bool else M : bool) : bool 
l(M : S ^T) M : S) :T \ (A(a; : S).M : T) : S ^ T 
Define the equational theory of finitary PCF as follows: 

(Xx.M) N =pcF M[N/x] 

If tt then M else N =pcF M 
If ff then M else N =pcF N 
If 17 then M else N =pcF ^ 

It is a well-known fact that every closed term of ground type is provably equiv- 
alent either to tt,ff or 17. 

Definition 7 (Observational equivalence). Given closed terms M,N : T, 
a compatible program context for M, N is a single-holed context C[-] such that 
C[M],C[N] are closed terms of ground type. 

Then M N (M is observationally equivalent to N) if and only if 
for all compatible program contexts C[-], C[M] =pcF 

Theorem 2. [Loader J^lThe relation is not decidable at all types. 

Finitary models of PCF certainly exist — for instance in the category of ordered 
sets and monotone functions. But a finitary and and fully complete model would 
allow contextual equivalence to be decided by generating bounded lists of terms 
containing representatives from each ^-equivalence class. 

Definition 8. A listing algorithm for a typed language is an effective procedure 
for generating a list of (closed) terms at each type T Mi : T, M 2 : T, . . . Mn.^ : T 
such that for all N : T there exists i < n such that Mi ~ N . 

Proposition 3. Given a listing algorithm for PCF, ~ is decidable. 

Proof M N if and only if for every context C[-], \x.C[x\ M =pcf Xx.C[x\ N. 

Hence M N if and only if for every L : T ^ bool, L M =pcF L N. 
But if L ~T^booi L', then L M =pcf L' M and L N =pcf L' N. Hence 
if Li, L 2 , . . . , Ln is a list containing elements from every ~T^booi equivalence 
class, M N if and only if Li M =pcF Li N for all N. 



Proposition 4. Given a finitary and fully complete model of PCF, there is a 
listing algorithm for PCF. 
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Proof. At each type T there is a complete list of elements ei, 62 , . . . G |T]. A 
list of terms Mi, M 2 , ■ ■ ■ : T such that \Mf\ = for all i < nr can be found 

because a recursive enumeration of all PCF-terms can be given, and searched for 
terms denoting each element (which will exist by full completeness) . In any sound 
model, if |M] = {NJ then M N, so the list of terms Mi, M 2 , . . . M„^, : T 
contains elements from each contextual equivalence class. 

Corollary 3. There is no finite and fully complete model of finitary PCF. 

Unary PCF has a single base type unit containing two constants T, _L (termina- 
tion and non-termination) and a ‘convergence test’ for M, N : unit, If M then N , 
such that 

If T then M =pcF M, If _L then M =pcF -L- 

Contextual equivalence can be defined as for finitary PCF, but as shown by 
Loader m and Schmidt-Schau6|2Zl (independently), it can be characterized 
effectively. 

4 The Translation 

The fully complete translation of PCF into \l/nl is in essence very simple. 
It leaves the structure of PCF as a typed, call-by-name A-calculus unchanged, 
translating the function type of PCF directly into the intuitionistic implication 
of ^L/NL- Tiie problem is to account for the constants of PCF: the type of 
booleans containing the values tt and ff and the non-termination constant 17^? 
The basic idea is to represent truth-values as ‘church booleans’ — left and right 
projections from the product l x l — in the linear function-space 6 x t — o t. 

Definition 9 (D-translation on PCF types). 

bool° = LXL^L, {S^T)° = S° 

Non-termination is represented as the use of an undischarged non-linear assump- 
tion (i.e. a free variable) of ‘empty type’ l. 

Definition 10. Let xq : t. be a unique -variable, and {y^, z ^, . . .} a set of 

X[,/NL~'^o,i"'lo-bles distinct from xq so that the correspondence with PCF -variables: 

rri n rp\ I 

y.T — > y :T 

is a bijection which extends to PCF contexts. 

The \3 -translation is now defined as a mapping from PCF terms-in-context to 
Xl/n L-terms-in-context: 

TFt — ^ r°,a;n : M° 

where M^ is defined by structural induction as follows: 

- (z)° = 
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- (17 : bool)'^ = Xy : L X t.{xo : l) 

- (17 : 5 ^ T)° = Ay : 5'°. (17 : T)° 

- {Xz.M)° = Xz°.M° 

- \m 7V)° = M° 7V° 

- tt'^ = Xy : L X t.7Ti(y) 

- ff ° = Ay : i X t.7T2(y) 

- (If L then M else N)^ = Xy : l x l.lP {M^ y) 

This is a sound definition — the translation of T h M is a derivable term-in- 
context of Xl/nl and it respects the operational rules of PCF. 

Proposition 5. The translation is sound with respect to PCF and /drjir- equalit- 
ies. i.e. if M,N are PCF terms and M =pcF N, then =/ 3 riTr ■ 

Proof. It is straightforward to show that if M N, then =p N^. So it 
remains to observe that the conversions for the conditional are respected, for 
which a representative case is given: 

(If tt then M else N)^ = Xy.{Xx.TTi{x)) {M^ y,N^ y) 

=p Ay.^i((M° y,iV° y)) =, Ay.M° y M°. 

The translation of unary PCF is similar: let unit'^ = i l, and 
(T)° = Ay.y, (T)° = Xy.x^, (If M then N)° = Ay.M° {N° y). 

4.1 Normal Forms for \l/nl 

The key to proving fully completeness of the translation is a strong character- 
ization of the /SyTT-equivalence classes of X^/ml as rj-long normal forms. With 
the exception of the typing restrictions, this is just the standard notion of y-long 
normal form for the simply- typed A-calculus with pairing. They are defined here 
for a restricted set of types, sufficient to include the translations of PCF types. 

Definition 11. Define the relevant types by the following grammar: 

T ::= t|tXi|T=^>(T^i) 

where R ^ {S —o ij abbreviates R\ (i ?2 (. . . {Rn ^ {S —o i )) . . .)). 

Clearly the relevant types include all translations of PCF-types T^. 

Definition 12 (y-long normal forms of X^/ml over relevant types). These 
are given as sets N{T ; S; T) of terms in context T; S \- t : T. 

y : i £ r U D 
y£N{r; E; t) 

y:iXi£T\JS 

7ri(y),7T2(y) € N{T] E] l) 

Vi £ N{r ; Rf)i < n s £ N(T ; E; S) x : R ^ {S —o l) £ T 
x ri . . .r„ s £ N{T; E;t) 
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rj e N{r-, R,)i <n s£ N{r-, S; S) 

X Ti . . .Tn s € N{r ; S , X : R {S —o ij - ij 
s,t G N{r-, S] l) 

(s, t) G N{r ;t X l) 

t G N{r,xi : Ri,. . . ,Xn ■■ Rn, S,y ■ S; l) 

Xx.Xy.t G N{R; S;R^{S ^ t)) 

It is necessary to establish that the ry-long forms genuinely provide (unique) 
representatives of each (3r]TT equivalence classes. 

Lemma 1. Every term consisting of a single variable of relevant type x : T is 
[3r]TT -equivalent to a rj-long form x : T. 

Proof. Dehne x by induction on the type T : 

If T = i, then x = x, 

If T = i X i, then x = {tti{x) , tt 2 {x)) , 

If T = R ^ {S —o if then x = Xy.Xz.x yz. 

Proposition 6. Let P; E G t : T be a term-in- context of Xl/ml O't « trans- 
lated PCF type. Then t is Pijir- equivalent to a unique rj-long normal form in 

N{r-, s-,T). 

Proof, is by establishing the following property of Xl/ml terms, dehned by in- 
duction on type-structure: 

A term (with free variables) t : r is normalizable if it is jdiqTT equivalent to a 
normal form t' . 

A term t : ix i is normalizable if 7Ti(t) and 7T2(t) are normalizable. 

A term t : S' T — ° r is normalizable if for every sequence of normalizable 
terms of appropriate (and simpler) type, Si, . . . , Sm- 
t Si ... Sn ■ i is jdrjTT equivalent to a normal form. 

Note that if t is normalizable, then t is itself /3ry7r-equivalent to a normal form, 
as t =ri Xx.t X =f}ryK Xx.t' , where t' is a normal form of t x. 

Proof that all A^/AfL-terms at relevant types are normalizable is by induction 
on the number of occurrences of application, pairing, or projection which they 
contain. 

t is assumed to have the form Xz.r, for some (possibly empty) sequence of vari- 
ables zi, . . . ,Zn and term r which is not a A-abstraction. 

— If t contains no instances of application, then r is a variable x, where either 
X ^ {zi, Z2, . . ■ Zn} or x = Zj for some j < n. 

Then in case x yf Zj for any j, t si . . . Sm =/? x s„+i . . . Sm- By assumption 
Si, . . . Sm are equivalent to normal forms s'l, . . . s'^^. So t Si . . . is /JryTr- 
equivalent to the normal form x s'.^_^_i . . . s'^. 

In case x = Zj for some j < n, 

t Si . . . Sm =/3 Sj s„+i . . . Sm, and by assumption of normalizability of Sj, 
Sj s„+i . . . Sm is PyTT equivalent to a normal form. 
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— 11 r = p q then if si . . . Sm are normalizable terms, 

t Si...Sm=l 3 ((A^.p) Si . . . S„)) {Xz.q) Si . . . Sn) S„+i . . . S„ 

By induction hypothesis, Az.p, Xz.q are normalizable, and hence (Xz.p) si . . . 
s„ and (Xz.q) si . . . s„ are normalizable. 

Hence {{Xz.p) si . . . s„)) ((Az.g) si . . . s„) s„+i . . . Sm is equivalent to a nor- 
mal form as required. 

— The cases r = 7Ti(p), and r = (p, q) are similar (and simpler). 

4.2 Completeness of the Translation 
Proposition 7 . The \I\-translation is fully complete. 

Proof. By Proposition |3 it is sufficient to show that for every 77-long normal 

form t S N{r^,xa ■ t; -; T^) there exists M such that =0riTr t- 

This is shown by induction on the number of instances of application in t. 

If T = bool (the important case), then t = Xy : l x l.s, 
where s € N(F^, xn : t; 7/ : t x t; t) 

— If s = xa, then t = Xy.XQ = 1 ?'^. 

— If s = TTiiy), or 712(77), then t = Xy.ni{y) = tt° or t = Xy.TT2{y) = ff°. 

— If s = ri . . . r„, then 2; : for some PCF-type S = bool S T, 

Ti e fV(T°,a;i3; i?)^), . . . ,r„_i G N {P'^ , x q] j, R^) , and so by hypothesis 

there are PCF terms IVi, . . . N^-i such that =pr)TT fi for i < n. 
r„ : 7 X i, so by definition of Xj^/jsil normal forms, = {pi,P2) for some 
Pi,P2 G N{Rxo;y : l x l; l). 

So Xy.pi,Xy.p2 G N{r^ , xq; x,hool^) are ?7-long normal forms at PCF- 
translated types, containing fewer applications than t. Hence by induction 
hypothesis there are PCF terms ^1,^2 such that =ynTr Xy.pi. 

Putting these terms together, there is a PCF term: 

M = If z iVi . . . Nn-i then Li else L2 such that 

= Xy.z° ... iV°_i {L^ y, y) =f3r,n Xy.s = t 

If r = i? S', then t = X{z : R)^.{s : S'^), where s G N{{r, z)^ , xq] x, S^). 
By hypothesis, there is a PCF term P, z : R \~ N : S such that = s, so 
(Xz.N)^ = t as required. 

Corollary 4 . If there is a fully complete andfinitary model ofXi^/jsiL, then there 
is a fully complete and finitary model of PCF. 

Proof Let |T h M : T] = |T°, h : T°] 

Theorem 3 . There is no finite and fully complete model 

Proof. Suppose a finitary and fully complete model of A^/ivLexists. Then by 
Proposition 0 and Corollary 0 PCF observational equivalence is decidable. But 
this is a contradiction of Loader’s result. Theorem Q 
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Corollary 5. There are no finitary and fully eomplete models of affine propo- 
sitional logic. 

By contrast, effective presentability of the fully abstract model of unary PCF 
means that the corresponding fragment of linear logic has a finite model. The key 
difference between the translations appears to be the need to use the additive 
product to translate finitary PCF, whilst the translation of the unary version 
stays within the multiplicative fragment. 



5 Finitary Full Completeness and Intuitionistic Logic 

It has now been established that a logic exists (affine logic) which possesses the 
the standard finite model property, but not the finite model property for fully 
complete models. It is a natural question to ask whether there are any natural 
and non-trivial examples of non-finitary logics with the latter property. 

The purely intuitionistic fragment of Xl/nl (with the connectives =>, x) is 
not finitary — it contains the Church numerals. It has been shown by Loader 
m that the problem of deciding definability in the standard sets-and-functions 
model of the A-calculus is undecidable, so it is not possible to cut down this 
model effectively using a definability predicate as defined in . 

However, finitary and fully complete models of this fragment do exist. The 
natural way to demonstrate this is by exhibiting such a model, and it is the object 
of a forthcoming paper is to do so, using the category of sequential algorithms 
However, a simple proof that there are finite and fully complete models 
of intuitionistis logic can be given as a corollary of Padovani’s proof that the 
‘minimal model’ of the A-calculus with constants is effectively presentable. (For 
simplicity’s sake, only the implicational fragment is considered, but the extension 
to products is straightforward.) 

Theorem 4 (Padovani |p6j). Let yl(T,T) be the simply-typed X-calculus over 
the ground type l with two ground-type constants, T,T : t. Then the contextual 
equivalence on closed terms s,t of the same type: 

s — T,_L t ijf for all compatible closed closed contexts C[-] : l, (^[s] =p C[f\ 

is decidable, and the ‘minimal model’ of ~T,_L"C^asses of terms is effectively 

presentable. 

The pure calculus has no ground type constants, and so contextual equivalence 
is tested at the type i => (6 => t). 

Definition 13. Contextual equivalence (the maximal non-trivial congruence 
containing (dr] -equality) on the simply-typed X-calculus is defined as follows, for 
terms s,t : T 



s ~ t 4=^ V(closed)C[-] : l), C[s] =is C[t] 

The minimal model of the pure X-calculus is the model in which |s] = |t] if and 
only if s t. 
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Proposition 8. For all pure X-terms s,t :T (which are also terms of A(T,1.)) 

S t S — T,_L t 

Proof. Suppose s t, then for some context C^[-] : t => t => t, C[s] =p Xxy.x 
and C[f\ = Xxy.y, hence C[s] T _L =^3 T and C[t] T _L = _L, so s t as 

required. 

Suppose s t, then for some ground-typed context 

C[s] = T and C[t] = _L. Let x,y be variables not appearing in C[], then 

Xxy.C[s\[x/T][y/l\ =p Xxy.x and Xxy .C\t][x /T][y / 1.] =p Xxy.y and so s 9 ^ t as 

required. 

The equivalence — t,_l is extensional {t s if and only if s r j_ t r for all 

r : S) and hence there are only finitely many ~t,_l - equivalence classes at each 
type. 

Corollary 6. The minimal model of the pure simply-typed X-calculus is finitary 
— i.e. there are finitely many ^-equivalenc classes at each type. 

To give a listing algorithm for the pure calculus, it is necessary to be able to 
determine which yl(T, T)-terms are equivalent to constant-free terms. 

Definition 14. A term t : T of A{T,1.) is total ift[J-/T] — t,_l i[T /T] — t,_l t- 

Say that a type (i.e. proposition) T is provable if there is a closed term f : T of 
the pure A-calculus. 

Proposition 9 (Weak Completeness). T is a provable type if and only if 
there exists a total yl(T,T) term of type T. 

Proof. All pure A-terms are clearly total, so the implication from right to left is 
trivial. For the converse, a trivial induction suffices to show that any type T is 
provable if and only if T i is not provable. So suppose for a contradiction that 
there exists a total term t : T, where T is not provable, and hence there exists 
a pure A-term s : T ^ l. Then s t : i is a total term, but (up to /3-equality) the 
only closed terms of type t are T and T which are obviously not total. This is 
the required contradiction. 

Proposition 10 (Strong completeness). A (closed) term t : T of A{f2) is 
total if and only if there exists a pure X-term s : T such that s — t,j_ t. 

Proof. Suppose f : S' => t is total. Then by Proposition 0T is provable; there ex- 
ists a pure A-term r : T. Then there is a pure term s = Xx : S.{t[r x/T] [r x/T]) x 
such that s — t,_l t- For any A(T, T) terms pi : Si , . . . ,Pn '■ Sn, suppose w.l.o.g. 
r Pi . . .pn =p T. Then s pi . . .pn =(} t[T /!.] pi . . .pn =0 t pi . . .pn by definition 
of totality, and hence s — t,_l t. 

Corollary 7. The minimal model of the pure simply-typed X-calculus is effec- 
tively presentable. (And so this is a finitary and fully complete model of intu- 
itionistic implicational logic). 
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Proof. By Padovani’s result, there is a listing algorithm for the minimal model 
of ^(T, _L), and this yields a listing algorithm for the minimal model of the pure 
simply-typed A-calculus since there is an effective procedure for finding the total 
terms of yl(T,_L) and for finding pure terms which are equivalent to them. 

Compare the existence of a listing algorithm for this notion of minimal model 
with the undecidability of definability for set-theoretic models of the pure A- 
calculus EH- A similar contrast to Loader’s result for finitary PCF is provided 
by the effectively presentable model of PCF with control operators described 
by Cartwright, Curien and Felleisen In fact, it will now be shown there is a 
continuation-passing style translation from such a language (finitary /rPCF) into 
the non-linear fragment (=>, x) of Xl/nl which is a conservative extension of 
the D-translation (on terms). Hence, the effective presentability of the minimal 
model can be used to give an alternative proof of effective presentability for the 
fully abstract model of finitary /rPCF. 

The language /rPCF is PCF extended with with first class continua- 
tions in the form of control operations called naming and p-abstraction. Finitary 
/rPCF has base types of booleans bool and the empty type 0. Terms are given in 
contexts (sets of typed variables, and names of ground type) . (This is equivalent 
under call-by-name to adding names at all types m)- The typing judgements 
for PCF are extended with the following rules: 

rFM:bool:Z\ TFM: 0 ;Z 1 ,q 

r\-[a]M:0;A.,a r\-pa.M:hool;A 

The equational theory of pPCF extends the PCF theory: 

{pa) pa.[a]M =^pcF M 

and if E[-\ = [/?][•], or E[-\ = [/3]If [•] then L else N for some L,N, 

{p(}) E[pa.M] =^pcF M[E[]/a] 

where means replace every named subterm [aJfV in M with E[N], 

Definition 15 (<0 translation). Translation of types: 

0^ = L, bool^ = (6 X t => i), and {S T)^ = => . 

The translation of terms is conservative over the \I\-translation for PCF . 

For each name a, assume a distinguished variable '■ tXL, and let {a, /3, 7 , . . 

= {xa : i X L,xp : L X i,x-f : L X l}. 

F \- M : T] A is translated to Xui '■ i, A^ h M'X : T'X as follows: 

- = Xy.Xui, tt^ = Aa;.7ri(a;), = Xx.tt 2 {x) 

- (If M then 7Vi else A^a)^ = Xy.M'X (ivf y, y) 

- \x)<^ = {Xx.M)^ = XxO.MO, {M N)^ = N<> 

- (HM)^ = {MO cca), {pa.M)0 = Xx^-M^ . 

The proof of the following proposition follows that for Proposition 0 using rj- 
normal forms. 
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Proposition 11. The ^-translation is fully complete. 

Corollary 8. The -translation is fully abstract: 

i.e. for all piPCF terms M,N : T M N if and only if ~ 

Proof Suppose . Then C[M^] Xxy.x and = Xxy.y for 

some context C\-] : t => i => t. Then by full completeness of the translation there 
exists a /iPCF term L : T ^ bool such that = Xy : l x L.{C[y\ ’K\{y) Xuj). 
Then (L M)^ = = tf^ and (L N)^ = N'^ = 12^ and M N as 

required. 



Corollary 9. The fully abstract model offinitary yPCF is effectiuely presentable. 

5.1 Further Work 

Intuitionistic implicational logic has the finite denotational model property, 
whilst linear and affine logic do not. The most obvious open question, there- 
fore (as for decidability of provability) concerns multiplicative-exponential logic. 
A solution to this problem can be expected to be hard — a finite and fully com- 
plete model of MELL would allow provability for this fragment to be decided, 
which itself is a difficult open problem m- Even finding a fully complete and 
finitary model of the multiplicative fragment of (“°> =^) — or ^ proof that 

no such model exists — is a goal which could provide insight into the decidability 
question. 
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Abstract. We present a unified framework for the study of the com- 
plexity of counting functions and multivariate polynomials such as the 
permanent and the hamiltonian in the computational model of Blum, 

Shub and Smale. For Pk we introduce complexity classes GeriPjn and 
CGenPiR. The class GeriPm. consists of the generating functions for 
graph properties (decidable in polynomial time) hrst studied in the con- 
text of Valiant’s VNP by Biirgisser. GGenPiu is an extension of GenPin 
where the graph properties may be subject to numeric constraints. 

We show that GenPia C GGenPia C EXPTjn and exhibit complete 
problems for each of these classes. In particular, for (n x n) matrices 
M over IR, ham{M) is complete for GenPiu, but the exact complexity 
of per{M) € GenPiR remains open. Complete problems for GGenPni 
are obtained by converting optimization problems which are hard to 
approximate, as studied by Zuckerman, into corresponding generating 
functions. 

Finally, we enlarge once more the class of generating functions by al- 
lowing additionally a kind of non-combinatorial counting. This results in 
a function class Met-GeriPjn for which we also give a complete mem- 
ber: evaluating a polynomial in the zeros of another one and summing 
up the results. The class Met-GeriPjR is also a generalization of jjPiR, 
introduced by Meer, n 93. 

Due to lack of space we will prove here only the Met-GeriPm. result. In 
the full paper also the other theorems will be established rigorously. 
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1 Introduction 

Valiant, in a fundamental paper Eaiza, has shown that the matrix functions 
per{M) and ham{M) defined on (n x n) matrices M = {rriij) over a field F by 

n 

per{M) = ^ 

and 

n 

ham{M) = ^ 

7I-GC„ i=l 

are typically hard compute. Here Sn (Cn) denotes the set of (cyclical) permu- 
tations of To make the difficulty of computation precise, Valiant in- 

troduced his (non-uniform) model of computation of straight line programs and 
the complexity classes VP]p and VNPjp, cf. EDHE]. In spite of the beauty of 
this approach, there are various drawbacks in this model of computation, which 
the Blum, Shub and Smale model (BSS) of computation, cf. |BCSS98 j. proposes 
to overcome. In his paper EEnzi, Meer introduces counting problems over the 
reals IR in the BSS model and its associated complexity class jJPiR. However, 
per(M) £ t)P]R only for rriij £ {0, 1}. Meer analyses the logical definability of 
problems in DP]r and obtains results analogue to those of Saluja, Subrahmanyam 
and Thakur lEsm]. The issue of complete problems for DPki however, is not 
discussed explicitely. 

In this paper we work in the BSS-model and its extension to allow struc- 
tured inputs as proposed by Gradel and Gurevich fGG98j . We propose a larger 
framework of counting functions based on an idea of Biirgisser |Bur99j . With the 
complexity class Pir we associate new complexity classes GenPjn, CGenPjn and 
MznPiR as classes of generating and maximizing functions of graph properties 
verifyable in P]r. Roughly speaking a function / in GenPjn has the following 
form: consider a meta-finite structure 2?; its underlying finite structure should be 
(H, with finite universe A = {1, ...,n} and relations Its weight functions 
are denoted by W. Now let f be a Pjr, computable class of meta-finite struc- 
tures of signature R, W and additionally U. Here , U denotes relation symbols 
on the underlying finite universe. For the class GenPjn we consider membership 
of a meta-finite structure A := {A,R^,U^,yV) in £ as only depending on the 
underlying finite structure (H, R^, U^). An / £ GenP]R now is evaluated on T>; 
it depends on the part of A and on an IR-term t{x), which itself depends on 
the real number part W of A; f has the form 

Gene({A,R^),t) = ^ H 

{A,R^,U)eS x€U 

If the class £ may also depend on the W part of A we get CGenPm.- 

If instead of the sum of products we consider 

Min A (A, R^) A) = min tix) 
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we have functions in MznPiR and (7MmP]R, respectively, which cover wide 
classes of Linear Programming problems with possible additional (non-linear) 
constraints. 

To express, say, ham{M) in this form, we take £ to consist of structures 
(A,R^,U^,w) with {A,R^,w) graphs with edge weights w{x,y) in IR and 
ranges over all hamiltonian cycles of the graph and t(x,y) = w{x,y). M is the 
weighted adjacency matrix of (A, If ranges over all cycle covers rather 
than hamiltonian cycles, we get the permanent. It follows from the definitions 
that 

GenPiR C CGenPiR C EXPTtr, 

and both per{M) G GenPjn and ham{M) G GenP]R. 

A typical example of a function in MinPjn is given by the cost version of the 
Traveling Salesmen Problem TSPcost- Given an edge weighted graph, compute 
the minimum cost of a hamiltonian tour. Here the cost is given by t{x). Clearly 
we have 

iWznPiR C GilLmP]f{ C EXPTjn 

but the relationship between MmPjR and GenPjn (aa well as GMmP]R and 
GGenPju) remains, for the time being, open. 

Now let j{U) be a polynomial time computable function of the weights of 
elements in U. We are thinking here of an additional constraint function. We 
modify the permanent and the hamiltonian matrix function similar to !Ziic96j. 
We restrict the summation to permutations U = tt with 7(7 t) = 0, i.e 

n 

per^(u)^Q{M) = ^ 

7(7r)—0 2—1 



(and analogously for ham^(jj^^Q{M)) . Clearly, both per S'lid 

ham^(jj)^Q{M) are in GGenPjn. Similarly, we modify TSPcost to obtain 
TSPcost{l{U) = 0): Given an edge weighted graph, compute the minimum cost 
of a hamiltonian tour under the additional constraint 7 (C/) = 0. 

We obtain 

Theorem 1. per^(jj'~^^Q{M) and are GGenP^-complete. 

and 

Theorem 2. TSPcost{l{U) = 0) is G MinP^s^- complete. 

We also show 

Theorem 3. ham{M) is GenP-^- complete and TSPcost is MinP^.- complete. 
However, it remains open whether per{M) is GenP]R-complete. 

Contrary to jJPiR the class GenPjn captures the permanent computation of 
a matrix M with arbitrary entries. However, there is a major other difference 
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between the two classes which implies that the former is not a subclass of the lat- 
ter. In t|P]R the counting is done in relation with non-combinatorial features, i.e. 
the corresponding functions count satisfying guesses within a NPjr verification 
procedure. The latter guesses in general are vectors of reals. This is not possible 
within GenPjn. In section 0 we therefore show how to enlarge the definition of 
generating functions once more to capture also counting processes as they are 
present in jJP]R. The class Met-GenP]^ is obtained that way; it generalizes both 
jlPiR, and GenP]R. 

We consider the feasibility problem F^ero which stands for all real polynomi- 
als having a real zero and show 

Theorem 4. Let T> he a Wl-structure with two weight funetions ti,t 2 represent- 
ing two polynomials of degrees 4 and k resp., in the same number of unknowns 
(cf. example^ below). 

The function ^ Y) ^ 2 ( 2 ^) 0 -^(®) complete in Met-GenP^ 

(T>,ti,z)eF^ero xeA>‘ aex 

under reductions in Pjr (where the condition under the first summation refers 
to the real zeros of that polynomial whose coefficients are represented by ti.) 



This paper opens an avenue to classify the complexity of combinatorial func- 
tions in the BSS-model which are in EXPTjn on the one hand side and a kind 
of non-combinatorial generalization on the other. We exemplify our approach 
with a wide class of generating functions of graph properties and cost optimiza- 
tion problems in Linear Programming. The novelty of our approach consists in 
the identification of such functions as complete in their respective setting. The 
results are not really surprising, but neither are they obvious. 

In this extended abstract we will focus on a rigorous proof for theorem El 
only. The proofs of the other statements are similar in spirit, but of course some 
care has to be taken. They will be given in the full version of this paper. 



2 Background on IR-Structnres 

In this subsection we recall the basic notion of an IR-structure. It is a special 
case of so called met a- finite structures introduced in IK It If) 81 . IR-structures were 
first analyzed in f(IIVmfi|. 

We suppose the reader familiar with the main terminology of logic as well as 
with the concepts of vocabulary, first-order formula or sentence, interpretation 
and structure (see for example IEI2SI). 

Let 1R°° denote the set of finite sequences of real numbers, i.e. 1R°° = 0 

feeiN 

Definition 1. Let Ls,Lf be finite vocabularies where Lg may contain relation 
and function symbols, and L/ contains function symbols only. A TR-structure of 
signature a = (Lg, Lf) is a pair V = {A,F) consisting of 
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(i) a finite structure A of vocabulary Lg , called the skeleton of T>, whose universe 
A will also be said to be the universe of T>, and 

(ii) a finite set T of functions X : — >■ IR interpreting the function symbols 

in Lf. 

Definition 2. Let D be a IR-structure with skeleton A. We denote by |A| and 
also by \T>\ resp. the cardinality of the universe A of A. This number is called the 
size of the structure T>. A Ai- structure T> = {A, T) is ranked if there is a unary 
function symbol r G Lf whose interpretation p in T bijects A with {0, 1, |^| — 
1}. The function p is called ranking. We will write i < j for i,j € A iff p{i) < 
p{j). A k-ranking on A is a bijection between A^ and {0, 1, \A\^ — 1}. It can 
easily be defined if a ranking is available. We denote by p^ the interpretation of 
the k-ranking induced by p. 

Throughout this paper we suppose all M-structures to be ranked. We there- 
fore notationally suppress the symbol < in the sets T considered. 

Example 1 Let us see how to describe a real polynomial of degree at 

most 4 as a K-structure. 

Consider the signature (0,{r, c}) where the arities of r and c are 1 and 4 
respectively, and require that r is interpreted as a ranking. 

Let I) = {A^T) be any IR-structure where T consists of interpretations 
C : IR and p : A — ?> IR of c and r. Let n = |A| — 1 so that p bijects A 

with {0, 1, ...,n}. Then T> defines a homogeneous polynomial g G IR[Xo, ...,X„] 
of degree four, namely 

g= Y. C{i, 3 ,kA)X,X^XkXt. 

We obtain an arbitrary, that is, not necessarily homogeneous, polynomial g G 
]R[Xi, ...,X„] of degree four by setting Xq = 1 in g. We also say that T> defines 
g. Notice that for every polynomial g of degree four in n variables there is a 
IR-structure V of size n -|- 1 such that V defines g. 

Clearly, this example can easily be extended to M-structures which represent 
systems of polynomials. In section 0 we are in particular interested in structures 
giving two polynomials in the same number of variables. 

3 Generating Functions of Graph Properties 

We will shortly define the concenpt of generating functions of graph properties. 
Full details can be found in mrm . 

Consider an edge-weigthed graph G = (V,E,t), that is a graph together 
with a weight function t : if — ?> M. For a subset E of E we extend t to be 

v^E 

Generating functions are now defined based on graph properties £. 
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Definition 3. Given a graph property £ the generating function Gens assigns 
to every edge-weighted graph G = (V, E, t) the value 

Gens{G) := E > 

ECE 

where the sum is taken over all subsets E such that the graph (V, E) has property 

£. 



As already indicated in the introduction this definition can be modified in 
(different) straightforward manners such as taking a minimum. We are in partic- 
ular interested in looking at G as a metafinite structure (see below) and varying 
the way property £ is depending on it. 

Important examples of generating functions are the ones explained in the 
introduction (permanent, hamiltonian etc.) 

The theory as well can be extended to R-structures where R is an arbi- 
trary ring. In |Mak()()| R = IR[X] the polynomial ring over IR in the variables 
Xi,X 2 , .... Typical generating functions in this case are Tutte polynomials, Jones 
polynomials and Kauffman brackets. 

4 Non-combinatorial Counting 

In this section we will further generalize the previously defined concepts. So far, 
the counting operation related to our generating functions was of combinatorial 
kind. More precisely, for a given IR-structure T> the summation is taken over all 
U such that {T>,U) G £. Here U is a relation over the finite universe A of T>. 
Thus, only finitely many valid assignments for U exist. For each of them a real 
number term then is evaluated. 

In [Mee97| a real counting class jJPiR is defined. It is given as all functions / 
such that the values f{x) correspond to the number of accepting guesses for a 
NP]r machine M with input x S IR“. 

Definition 4. The class j)P]R is given by all functions f : IR°° — >■ {0, 1}°“ U 
{oo} such that there exists a BSS-machine M working in polynomial time and 
a polynomial q satisfying 

f{y) = \{^ € z) is an accepting computation}\ . 

The major difference between functions in |)P]r, and the generating functions 
defined above is the dependence of the former on real number guesses. From the 
point of view of the BSS model this difference is due to the fact that the decision 
problem: “ is there a U such that {V, U) G £T' belongs to the class DNPjr. 
This class is a subclass of NPjr and denotes those problems in NPjr where the 
verification procedure makes use of digital guesses (i.e. zeros and ones) only. The 
general power of NP]r, allows to guess arbitrary reals. Problems in DNPm can be 
decided by simple enumeration of the finitely many valid guesses. Therefore, any 
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member of GenPjFi or CGenFjn can be computed in EXPT^. For functions in 
jjPjR the latter result is more complicated and related to quantifyer elimination. 
However, these functions only compute natural numbers. We will now extend 
generating functions once again. The class of functions obtained will capture 
both GGenPifj, and tJPiR- To clarify the ideas let us start with the following 
example. 

Example 2. i) Consider again the permanent function of a (n x n) matrix M . Its 
evaluation can also be described in the following manner. Let p be a polynomial 
in n unknowns such that p{xi, ...,Xn) = 0 if and only if (xi,...,x„) gives a 
permutation tt of {1, ...,n} (i.e. Xi € {1, ...,n} and Xi ^ Xj for i ^ j). 

Then per{M) = ^ M{x). Here, M{x) is a polynomial giving for a per- 

ai,p(rc)=0 

n 

mutation tt the value It can easily be defined as Lagrange polynomial. 

2—1 

Computation of the permanent thus can be seen as evaluating a polynomial at 
all the zeros of another one and summing up the results. 

ii) Let / : IR" — >■ IR be a polynomial bounded from below which should 
be minimized. Under the assumption that the usual first-order conditions of 
optimization theory are applicable one can look for the values of / at its critical 
points, i.e. on the zeros of its derivative p := Df. The problem gets the form of 
building the minimum of a polynomial on the zeros of another one. It can be 
generalized straightforwardly to constraint optimization problems. 

The major difference between items i) and ii) above is that the zeros of p in 
the first part always consist of (small) integer components. In the second case 
the zeros may consist of real components, which even might not be computable. 
Moreover, the evaluation process in ii) has a much more general flavour and 
captures also the functions in DP]r- 

Note that evaluating polynomials on the zeros of other polynomials is also 
crucial in many quantifyer elimination procedures, where in particular the signs 
one polynomial takes in the zeros of another are of importance, see 

We define the class Met-GenPiR along the lines of the second example. Some 
care has to be taken. Consider a IR-structure V consisting of two weight functions 
ti,t 2 together with a property £ G NPjr. We want to build sums of the form 
^ T where U denotes a relation of fixed arity over the finite universe A 
i'D,u,z)ee 

of T> and z represents a function from H to IR (for simplicity assume z to be 
unary). Here, £ depends on one of 2?’s weight functions, whereas T depends on 
the other (in a way which has to be precised). 

Since £ G P]r and z can be represented by a vector of \A\ many reals the 
decision problem: “ is there a tuple {U, z) such that {V, U, z) G is in NP® . 
Moreover, there might be infinitely many valid assignments for ({7, z) (i.e. for the 
z part). So the above summation can turn into an infinite series. In general, ques- 
tions of convergence of such series are not decidable in the BSS model. Similarly, 

a function like min T(T>, z) is not correctly defined if the minimum doesn’t ex- 
CD, z)g£ ^ ' 
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ist. The question whether there are only finitely many satisfying assignments for 
z is decidable in the BSS framework; it corresponds to the question whether for 
a function / G jlP]R a value f{x) is finite (and therefore exponentially bounded 
in the size of x, see mm)- 

We will define our generalized generating functions only for such M-structures 
T> for which z)\{'D,U, z) G £} is finite. Then sums as well as minimas are 
well defined. Examples which can be covered in this framework include polyno- 
mial optimization with finitely many Karush-Kuhn-Tucker points. 

Another problem might be the lacking computability of all the valid guesses. 
Here, we want to restrict ourselves to such structures where computability is 
possible. The completeness result below holds true in general, but it can be 
restricted to those structures as well. If the assumption about computability is 
missing the evaluation problem gets a completely different touch, see the remarks 
at the end of this section. 

Let f be a property in P]r . We consider M-structures V having two weight 
functions fi and ^2 from V’s finite universe to the reals. We assume the property 
£ to depend on ti and the underlying finite structure of V only, i.e. {T>, U, z) G 
£ {T>*,U,z) G £ where V* denotes the M-structure obtained from V by 

removing the second weight function t2- 

As explained above we will only consider such structures T> for which there 
are only finitely many valid guesses (t/, z) such that {T>, U, z) G £. These guesses 
moreover are assumed to be computable. 

Definition 5. a) The class Met-GenPjn is the set of all functions 

{T>,u,z)€e xeu aex 

where T> and £ are as assumed above. The condition “a G x” asks a to be a 

component of x. 

b) The class MinMet-GenP^ is obtained by taking 

min > toix) I \ z(a) . 

{v,u,z)ee ^ ^ 

x^U a^x 

Lemma 1. a) GGenP-^ C Met-GenP-tn 

b) Any function in tJPiR which only takes finite values belongs to Met-GenP^n. 

Both results are to be understood with respect to slight modifications of the 
inputted structures in such a way that they fit into the framework of input struc- 
tures for functions in Met-GenP^. 
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Proof. 

ad a) Consider a function 



CGens{{A,R^),ti) = ^ 

(a,r^,u)€E xeu 



with £ G P]R- 

We can artificially enlarge the property £ by an additional component 2 for 
the guess in such a way that only the assignment 1 for all components of 
2 ; will result in a valid guess (if the [/-component is correct). The property 
thus obtained remains in Pjr. Next, we enlarge a given M-structure T> by one 
further weight term t 2 which is equal to ti . The corresponding evaluation on 
the enlarged structure gives the same value as the evaluation of CGens on 
V. 

ad b) Suppose £ £ Pk and / £ j)P]R such that f{T>) = ff{z\{V,z) G £} < 00. 
Without loss of generality we can suppose / to count satisfying guesses z of 
the form z : A ^ M. only, i.e. the finite relation U is captured as part of the 
real vector to be guessed (see [IMee97] V 

We enlarge V’s universe A := {1, ...,n} to A := AU {n + 1}. To T> there 
corresponds the new structure P; it has universe A and the interpretations 
of the function and relation symbols correspond to those given by T> on 
arguments from A^ and are zero (resp. not in the relation) if a component 
n -I- 1 is present. A new weight term t 2 : A — t H is defined by t 2 {i) = VI < 
i < n and t 2 {n -I- 1) = 1. 

The property £ is modified to £ by defining {V, [/, z) £ f iff [7 = {n+ 1}, z = 
(z, 1) and (T>, z) £ £. We thus obtain 



^[2(3;) = Y h{n+l)-z{n+l) = Y l = /(^)- 

{■D,u,z)es xeu i'D,z)ee Cd,z)€£ 



□ 



In |lVleeH7| it is shown that every function in {(Pir is computable in simply ex- 
ponential time in the BSS model. The proof can be applied to show the existence 
of complete members in Met-GeriPjn. 

Consider a family of IR-structures T> representing two multivariate polyno- 
mials ti and t 2 , the first of which is of degree at most 4 and the second of 
degree fc, fc £ IN, see example E Both polynomials depend on the same number 
of variables. 

Theorem 4. Let £ := be the set of structures representing a polynomial 

having a real zero. 

The (non- combinatorial) generating function 

NGen£{T>,ti,t2) = Y Y ^ 2 (^) n 

(V,z)^F^ero xGA'‘ aex 
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is complete in Met-GenP^ w.r.t. reductions in Pjr,. The eondition (T>,z) € 
Fzero is to be understood w.r.t. the weight function ti ofT>. 

That is, evaluating a polynomial on the zeros of another one and summing 
up the results is a complete function in Met-GenP^ (under the assumptions 
made in relation with the definition of Met-GenPjn). 

Proof. Consider a property £ € Pjr together with an input structure {T>,ti,t 2 ) 
for the function generated by £. The finite universe of 2? is A := {1, ...,n}. 

The function value on the input T> is 

^2(^) n • 

{■D,u,i)ei xeu 

The problem: “ is there a {(j, z) such that {V, U,z) £ £ ” belongs to NPir 
and thus can be reduced in polynomial time to the problem of deciding whether 
a polynomial T\ of degree at most 4 has a real zero (for notational simplicity we 
denote the polynomial given via its coefficient function t\ by Ti). This reduction 
is not parsimonious; nevertheless, the following holds true according to Hiin7|: 
for every valid assignment {U, z) such that {T>, U ,z) £ £ we can compute a 
polynomial Ti in variables y := {u\, ...,Unk, z,w\, ...,wi,v\, ...,Vm) such that for 
the choice (rti, ...,Unk) := U and z := z there are exactly 2™ many zeros of T\. 
More precisely: 

— the components wi,...,wi are uniquely determined by (U,z) whereas for 
every component Vi there are exactly two possible choices such that any of 
them results in a zero of T\ (if we fix (U , z, w) as first components). 

— the identification of a relation U with the Uk variables u\, is via the 

natural order of A according to the natural ranking on {1, n}; i.e. Ui = 1 
iff the f-th element of is in U, and Ui = 0 otherwise. 

We are going to define a M-structure T> representing two polynomials. The 
first of these polynomials will be Ti as described above. Thus, the universe A of 
T> is taken to be the disjoint union of the sets Ai := {1, ..., n^} (for the variables 
Ui), A 2 := { 1 , ...,n}, A 3 := and A^ := {!,..., to} (for the components 

of the variables z,w, and v respectively). 

Next, the second polynomial T 2 included into T> (given by its coefficient 
function t 2 ) has to be defined. If f/ is a relation of arity fc on A we define T 2 to 
be a polynomial of degree k + 1 on |A| many real variables. 

Even though formally T 2 depends on all variables u,z,w,v only particular 
monomials will have non-vanishing coefficients. 

More precisely, a coefficient t 2 {xo,xi, ...,Xk) might be 0 only if xq G Ai 
and {xi, ...,Xk) £ A\. 

In that case we define 



= ^2(3:1, ...,Xk) . 



t 2 {xo, ...,Xk) ■ 



2m 
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We claim that evaluating T 2 on the zeros of T\ gives 

^ ^ hix) z{a) . 

{'D,U,z)&£ xeu “65 

Calculation shows 

E E Hx) n 2/(a) = E E Hx) n 2/(a) 

{'D,y)eF^ SeA'= + i aex y,Ti(y)=0 aex 

= E E ^ 2 ( 00 ,^) ri“(ao)-2:(a) 

{ao,x)£AixA^ 

T\{u,z,w^v)—Q 

= E 2"* • ^ 2 ^ • t 2 (x) n z(a) 

(u,^),(u,z) first 

components of zero of Ti 

(here U denotes the relation defined by those Ui which are 1) 

= E E t 2 {x) n ^(a) = NGen^iV) . 

{p,U,z)^i xeU “6a; 

□ 

Remark 1. We could also allow counting according to functions z : a4‘ — ^ IR for 
some arbitrary arity t > 1. 

Similarly, in the above complete problem we could reduce the degree of T 2 
to be at most 4 as well by applying the same reduction idea used for Ti. We 
omitted this in order not to get lost in details. 

Complete problems for MinMet-GeriP'^ are obtained in the same way. As 
already mentioned, this class of functions includes the minimization of poly- 
nomial functions according to side constraints which are expressed via E. For 
example, non-convex quadratic optimization problems with linear constraints 
can be described this way (cf. [IMee94j V 

A completely new issue appears if we do not suppose the valid guesses of 
a NP]R-property to be computable for the given input (as is the case in many 
situations) ! 

Then, even if we assume the number of valid guesses to be finite the compu- 
tation of the corresponding generating function cannot be done exactly. In that 
situation, we are led to approximating these guesses and then performing the 
subsequent evaluation also approximately. This is a completely different program 
than what we have done here; of course, the underlying questions of approxi- 
mative computations are of high relevance. For results in relation with the BSS 
model confer |BCSS98j . 

In case we also want to get wid of the assumptions concerning the finiteness 
of the number of valid guesses one can think about a variation of the BSS model 
where also the evaluation of infinte series is possible. Steps into this direction 
can be found in pSV97j . 
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Abstract. Logical frameworks with a logic programming interpretation such 
as hereditary Harrop formulae (HHF) cannot express directly negative 
information, although negation is a useful specification tool. Since negation- 
as-failure does not fit well in a logical framework, especially one endowed with 
hypothetical and parametric judgments, we adapt the idea of elimination of 
negation introduced in EH for Horn logic to a fragment of higher-order HHF. 
This entails finding a middle ground between the Closed World Assumption 
usually associated with negation and the Open World Assumption typical of 
logical frameworks; the main technical idea is to isolate a set of programs 
where static and dynamic clauses do not overlap. 



1 Introduction 

Deductive systems consist of axioms and rules defining derivable judgments; they 
can be used to specify logics and aspects of programming languages such as oper- 
ational semantics or type systems. A logical framework is a meta-language for the 
specification, implementation and verification of deductive systems and possibly their 
meta-theory. A logical framework must provide tools which make encodings as sim- 
ple and direct as possible. One well known example is higher-order abstract syntax, 
which moves renaming and substitution principles to the meta-language. Logical 
frameworks should be by design as weak as possible to simplify proofs of adequacy 
of encodings, effective checking of the validity of derivations and proof-search as well 
as unification. Many logical framework have been proposed in the literature (see fHi| 
for an overview) and many extensions are also under consideration. However, we 
must carefully balance the benefits that any proposed extension can bring against 
the complications its meta-theory would incur. 

This paper discusses the introduction of a logically justified notion of negation in 
logical frameworks with a logic programming interpretation such as hereditary Harrop 
formulae (HHF) ^2] and its implementation in AProlog [E|. We intend this to form 
the basis for type-theoretic frameworks such as LF [Oj and its implementation Twelf 
ra- Those systems do not provide a primitive negation operator. Indeed, construc- 
tive logics usually implement negative information as -'A = A — >-T, where T denotes 
absurdity and the Duns Scoto Law is the elimination rule. Thus negative predicates 
have no special status; that would correspond to explicitly code negative informa- 
tion in a program, which is entirely consistent with the procedural interpretation 
of hypothetical judgments available in logical frameworks with a logic programming 
interpretation. However, this would not only significantly complicate goal-oriented 
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proof search, but providing negative definitions seems to be particularly error-prone, 
repetitive and not particularly interesting; more importantly, in a logical framework 
we have also to fulfill the proof obligation that the proposed negative definition does 
behave as the complement (of its positive counterpart). Automating the synthesis 
of negative information has not only an immediate practical relevance in the logic 
programming sense, but it may also have a rather dramatic effect on the possibility 
of implementing deductive systems that would prove to be too unwieldy to deal with 
otherwise. The synthesis of the negation of predicates such as typable, well-formed, 
eanonieal form, subsort, value etc.-as well as Prolog-like predicates such as equality, 
set membership and the like-will increase the amount of meta-theory that can be 
formalized. 

Traditionally, negation-as-failure (NF) jS] has been the overwhelmingly used ap- 
proach in logic programming (see |21 for a recent survey): that is, infer -lA if every 
proof of A fails finitely. The operational nature of this rule motivates the lack of 
a unique semantics and some of its related troublesome features: possible unsound- 
ness, incompleteness and floundering. Furthermore, even if we manage to isolate a 
well-behaved logical fragment, such as acyclic normal programs, allowing NF in a 
logical framework would make adequacy theorems more difficult to prove, as both 
provability and unprovability must now be considered. The situation is even further 
complicated when we step to frameworks with hypothetical judgments; as recognized 
first by Gabbay jOI, the unrestricted combination of NF and embedded implication 
is particularly problematic, since it leads to the failure of basic logic principles such 
as cut-elimination. 

The approach to negation that we adopt is transformational, also known as inten- 
sional negation, initiated in m and developed in Pisa 0 for Horn logic with negation. 
Roughly, given a clause with occurrences of negated predicates, say Q ^ G, -•P, G' , 
where P is an already defined atom, the aim is to derive a positive predicate, 
say non-P which implements the complement of P, preserving operational equiv- 
alence; then, it is merely a question of replacement, yielding the negation-less clause 
Q G, non_P, G' . This has the neat effect that negation and its problems are elimi- 
nated, i.e. we avoid any extension to the (meta) language. Technically, we can achieve 
this by transforming a Horn program into negation normal form and then by negat- 
ing atoms via complementing terms, a problem first addressed in jUlIj for first-order 
terms. A final issue, which we do not tackle here, is dealing with local variables, 
which, during the transformation, become (extensionally) universally quantified 
Unfortunately, this approach does not scale immediately to logical frameworks 
such as HHF, for three main reasons: 

1. The simply-typed A-calculus is not closed under term complement. 

2. Negation normal forms are incompatible with the operational semantics required 
by HHF. 

3. There is an intrinsic tension between the Closed World Assumption (CWA), 
which is associated with negation, and the Open World Assumption (OWA) typ- 
ical of languages with embedded implication. 

The first problem has been solved in by introducing a strict A-calculus where 
term complement in the simply typed A-calculus can be embedded and performed. 
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The second issue is orthogonal and requires an operational notion of normal form. The 
third one is rooted in the fundamental difference between Horn and HHF formulae: 
as well known, a Horn predicate definition can be seen as an inductive definition 
of the same predicate. The minimality condition of inductive definitions excludes 
anything else which is not allowed by the base and step case(s). This corresponds in 
Horn logic to the existence of the least model and to the consistency of the CWA and 
its finitary approximation, the completion of a program [^: every atom which is not 
provable from a program is assumed to be false. Languages which provide embedded 
implication and universal quantification are instead open-ended and thus require the 
OWA; in fact, dynamic assumptions may, at run-time, extend the current signature 
and program in a totally unpredictable way. This makes it in general impossible 
to talk about the closure of such a program. In the literature the issue has been 
addressed in essentially three ways: 

1. By enforcing a strict distinction between CWA and OWA predicates and applying 
NF only to the former jSj, where the latter would require minimal negation. 

2. By switching to a modal logic, which is able to take into account arbitrary ex- 
tensions of the program as possible worlds (see the completion construction in 
PI for N-Prolog and P for Hypothetical Datalog). 

3. By embracing the idea of partiality in inductive definitions and using the rule of 
definitional reflection to incorporate a proof-theoretical notion of closure analo- 
gous to the completion El. 

None of those approaches are satisfactory for our purposes: most of the predicates 
we want to negate are open-ended; similarly, definitional reflection is not well-behaved 
(for example cut is not eliminable) for that very class of programs we are interested 
in. Moreover, we need to express the negation of a predicate in the same language 
where the predicate is formulated. Our solution is to restrict the set of programs we 
deem deniable in a novel way, so as to enforce a Regular Word Assumption (RWA): we 
define a class of programs whose dynamic assumptions extend the current database 
in a specific regular way. This constitutes a reasonable middle ground between the 
CWA which allows no dynamic assumption but is amenable to negation and the 
OWA, where assumptions are totally unpredictable. The RWA is also a promising 
tool in the study of the meta-logical frameworks m- Technically, this regularity 
under dynamic extension is calibrated so as to ensure that static and dynamic clauses 
never overlap. This property extends to the negative program; in a sense, we maintain 
a distinction between static and dynamic information, but at a much finer level, 
i.e. inside the definition of a predicate. The resulting fragment is very rich, as it 
captures the essence of the usage of hypothetical and parametric judgments in a 
logical framework; namely, that they are intrinsically combined to represent scoping 
constructs in the object language. This is why we contend that this class of programs 
is adequate for the practice of logical frameworks. 

It is clear that elimination of negation makes sense only when negation is strat- 
ified, i.e. the negative predicates ultimately refers (in the call graph) to a positive 
one. While there may be a place in logic programming for non-stratified negation, 
this does not seem to be the case for a logical framework. Another difference from 
traditional logic programming is that negation applies only to terminating programs; 
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thus it refers not to finite failure but to unprovability tout court, as we refrain from 
negating programs whose negation is not recursively axiomatizable. We will thus 
identify negation with a complement operation. 

The rest of the paper is organized as follow: in Sect. | 2 |we give an informal view 
of the complement algorithm by means of examples, while Sect. 0 introduces the 
language. Section ^describe term and clause complementation. We conclude in Sect .0 
with some remarks on future work. We refer to m for more details and proofs 
omitted here for reasons of space. 

2 A Motivating Example 

Consider the expressions of the untyped A-calculus: 

e ::= x \ Ax . e | ei C2 

We encode these expressions as terms in (labeled) HHF via the usual techniques of 
higher-order abstract syntax as canonical forms over the following signature: 

E = exp : type, lam : {exp — >■ exp) — >■ exp, app : exp — >■ {exp — >■ exp) 

The representation function is given by: 

^~x~^ = X Ax . e"' = lam {Xx : exp. '~e~') '~ei 62”' = app '~ei~' '~e2~' 

A term is linear if every functional subterm uses each argument exactly once: in 
particular, we check for linearity of a function making sure that the latter is linear 
in its first argument and then recurring on the rest of the expression. 

linapp : linear{app Ei E2) -s— linear{Ei) A linear{E2) ■ 
linlam : linear{lam{Xx . E x)) 

<— linx{Xx . E x) A {\/y: exp. linear {y) — >■ linear{E y)). 

linxx : linx{Xx . x). 

linxapl : linx{Xx.app {E\ x) E2) ^ linx{Xx .E\ x). 

Iinxap 2 : linx{Xx . app Ei {E2 a:)) ^ linx{Xx . E2 x). 
linxlm : linx{Xx . lam{Xy . E x y)) ^ (Vy : exp. linx{Xx . E x y)). 

This is clearly a decision procedure, which can be complemented; an expression is 
not linear if there is some function which either does not use its argument or uses it 
more than once. First, the complement of linapp does not pose any problem, as it 
is a Horn clause: an application is not linear if either the first element or the second 
is not linear. Next, a lambda expression is not linear in two cases: one, if it is not 
linear in its first argument: 

->linlaml : ->linear{lam Xx . E x) ~<linx{Xx .Ex). 
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Secondly, if its body is not linear. Now, this poses a new problem, as we have to 
negate a hypothetical and parametric goal. Let us reason by example and suppose 
we are given, in the empty context, a goal linear {lam{\x .lam{\y .x))), which is 
unprovable, since the second lambda term is not linear in y, the proof tree yields 
the failure leaf linx{\x.z), for a new parameter z, in the context z:exp; linear (z). 
Our guiding intuition is that we want to mimic a failure derivation so as to provide 
a successful derivation from the negative definition, i.e. a proof of ~<linx{Xx . z) from 
z:exp\ linear {z)~, this shows one prominent feature of complementation of an HHF 
formula: negation ‘skips’ over V and — >■, since it needs to mirror failure from assump- 
tions. Now, let us examine clause linxlm and reconsider the above failure leaf; in a 
first attempt, according to the idea above, the complement would be: 

7 

-■ linxlm : ->linx{Xx . lam{Xy . E x y)) ^ {f/y.exp. ->linx{Xx . E x y)). 

However, there is no way to obtain a proof of -'linx(Xx . z) from the current context. 
Indeed, the linxlm clause does not carry enough information so that its complement 
can mimic the failure proof. In a sense, the clause is not assumption-complete: once 
it has introduced a new parameter, the clause only specifies how to use it in a posi- 
tive context. It is up to us to synthesize its dynamic negative definition, in this case 
simply Vj/: exp. ~<linx{Xx . y). More in general, it is a characteristic of HHF that the 
negation of a clause is not strong enough to determine the behavior of a program 
under complementation. We will have to insert (via a source-to-source transforma- 
tion) additional structure in a predicate definition, in order to completely determine 
the provability or failure of goals which mention parameters. By observing the struc- 
ture of all possible assumption that a predicate definition can make, we will augment 
those assumptions with their negative definition. In particular, we first augment the 
clause linxlm: 

auga{linxlm) : linx{Xx .lam{Xy . E x y)) 

■<r- (\/y:exp. ~<linx{Xx . y) — >■ linx{Xx . E x y)). 
so that, by complementation, we obtain: 

~'aug-D{linxlm) : ->linx{Xx .lam{Xy . E x y)) 

*r- (\/y:exp. ~<linx{Xx . y) — >■ ->linx{Xx . E x y)). 

Unfortunately, the procedure we have outlined is not possible in general. Consider 
a clause encoding the introduction rule for implication in natural deduction, which 
can be used to check whether an implicational formula trivially holds: 

E = form : type, imp : form — >■ {form — >■ form), a : form, b : form, c : form 
impi : nd{A imp B) <— {nd{A) — >■ nd{B)). 

Following our earlier remark its complement would be: 

-<impil : ~<nd{a). 

-<impi2 : ->nd{b). 

-<impi3 : ->nd{c). 

? 

impi : ~^nd{A imp B) ^ {nd{A) — >■ ~^nd{B)). 
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This specification is clearly incorrect since both nd(a imp a) and -<nd(a imp a) are 
derivable from the empty context. We can isolate one major problem: in clause impi 
the assumption nd{A) which is dynamically added to the (static) definition of the 
nd predicate overlaps with the head of the clause. A symmetrical problem can occur 
when dynamic and static clause do differ but their complements do not. We have 
thus isolated two main issues: 

1. Exhaustivity: we need to enrich clauses so that every (ground) goal or its negation 
is provable. 

2. Exclusivity: we need to isolate a significant fragment where it is not the case that 
both a goal and its negation are provable. 

We will achieve exhaustivity (Theorem EJ by augmenting the program with the com- 
plement of assumptions; moreover, we will achieve exclusivity (Theorem with the 
restriction to complementable programs. To anticipate the idea, a clause is comple- 
mentable if every assumption contains some eigenvariable at execution time. 



3 Provability and Unprovability 



We will use the following somewhat unusual language: 



Simple Types A 
Terms M 
Atoms Q 
Clauses D 
Goals G 

Signatures S 
Parameter Contexts T 
Assumptions T> 



a I Ai — ^ A _2 
c I X I Ax:A. M \ Mi M 2 
g M„ I -.g Mn 

T |T| Q ^ G I Di AD 2 I T>i V £>2 I ^x-.A.D 

Q\T = 

Gi AG2 I Gi VG2 I G I Vx:A.G 
• I E, a:type | E, c:A 

■ I r, x\A 

T\VAD 



There is a distinguished type o for propositions which can occur only as the target of 
some A. We remark that ‘-i’ is not a connective, but a name constructor for atomic 
formulae; ‘facts’ are represented, for convenience, by Q •<— T, although in examples we 
will omit to mention T. We assume that existential variables occur only once in the 
head of program clauses (i.e. clauses are left-linear); this can always be achieved by 
introducing disequations in the body. In this paper we restrict ourselves to programs 
such that all assumptions are Horn and which can be proven to be terminating 
under some well-founded ordering. We introduce the uniform proofs system [I2| for 
(immediate) provability and denial in Fig.Q For terminating programs, we can prove 
that the failure to achieve a proof of G translates into (a derivation of) the denial of 
G. Note also that due to the presence of disjunction as a clause constructor, uniform 
proofs are not complete for our language. We will remedy this situation in Sect. 0 

T; 2? hp G Program V and assumption T> uniformly entail G. 

T;T> \/-p G Program V and assumption T> uniformly deny G. 
r;V\-'p D^Q Clause D from V and T> immediately entails atom Q. 
r;I)\/-p Dy>Q Clause D from V and V immediately denies atom Q. 
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k T t/x 

r-V^vT 

Mn=Jln 

~ k= ~ V= 

r-,T>\--p M„ = Nn r-,T>\/j, Mn = Nn 

T; V kp Gi T; V kp Gi T; V \/j, Gi T; V \/-p G 2 

kA 1/V 

G; H k-p Gi A G 2 r- V\/^GiV G 2 

r- V kp Gi r- V t/p Gi 

k Vi V Ai 

T; H kp Gi V G 2 r- H Gi A G 2 

r k t : A T; H kp [t/a;]G for all n T k n : ^ T; H [n/x]G 

k 3 1/ 3 

r;Hkp 3a::yl.G T; H 3x : yl. G 

T; {V A D) kp G T; (H A D) G 

k -S- 1/ -S' 

r-V^v D^G r-V\/j, D^G 



{F,y:A);Vhv [y/x]G 


{F,y.A)-VVv [y/x]G 


kV^ 




kp yx:A.G 


r;F> ^P yx:A.G 


F;V\-v {PAV)»Q 


r;O^P {P A V)»Q 


h At 


\/ At 


F-,V \~v Q 


r-,PVvQ 



» ± 

r- V kp± »Q T; V \/-p T»Q 

r \- t ■. A F;!? \--p \t / x\D^Q for all n E k n : A F;F \/j, [n/x]D^Q 

»V 

r;H kp Vx:AD»Q G; H ^p Va: : yl. D»g 

r-V'rv Di»Q E; O t/p Di »Q 

»Ai ;2^Vi 

F',F \--p Di A D2A>Q F;F \/-p D\ V D2^Q 

r-V'rv Di»Q r;HkpD 2 »g r-,V\/j,Di»Q r-,V\/^D 2 »Q 

»v ;2 ^a 

r-,V 'T v D\\/ D2^Q r-,V \/j, Di a D2A>Q 

T^ = JD r-Vh-vG 

^ 

r-,V \~v {q Nn -<r- G)^q M„ 

NnJ^JD ^ = Mn r;Ht/pG 

/65>— >2 

r ; V ^p {q Nn A- G)>i>g AL„ F ; V \/j, [q Nn G)^:i>q Mn 



Fig. 1. (Immediate) Provability and Denial 
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Some brief comments are in order: the (in)equalities rules simply mirror the object 
logic symbols =, ^ as meta-level (in) equalities. and \f 3 are infinitary rules, given 
the meta-linguistic extensional universal quantification on all terms. Rules h V, 1/ V 
are instead parametric in j/, where the ()*' superscript reminds us of the eigenvariable 
condition. The denial rules for implication and universal quantification reflect the 
operational semantics of unprovability that we have discussed earlier. 

We start by putting every program in a normalized format w.r.t. assumptions, 
so that every goal in the scope of an universal quantifier is guaranteed to depend on 
some assumption, possibly the trivial clause T. This has also the effect of ‘localizing’ 
the trivial assumption to its atom, a property will be central while complementing 
assumptions; for example we re-write linxlm as follows: 

linxlm : linx {Xx . lam{Xy . E x y)) 

•<— (Va; : exp. T unx — t linx {Xx .E x z)). 

For the sake of this paper, we also need to modify the source program so that every 
term in a clause head is fully applied, i.e. it is a lambda term where every variable 
mentioned in the binder occurs in the matrix; this makes term complementation 
(Sect. ^ much simpler. For example clause linxapl is rewritten as: 

linxapl : linx{Xx . app {Ei x) {E 2 x)) t— linx{Xx . Ei x) A vac{Xx . E 2 x). 

where vac{Xx . E 2 x) enforces that x does not occur in E 2 x. Its definition is type- 
directed, but we have shown in M how to internalize these occurrence constraints 
in a strict type theory, so that this further transformation is not needed. 

We now discuss context schemata. As we have argued in Sect.|3 we cannot obtain 
closure under clause complementation for the full logic of HHF, but we have to restrict 
ourselves to a smaller (but significant) fragment. This in turn entails that we have 
to make sure that during execution, whenever an assumption is made, it remains in 
the fragment we have isolated. Technically, we proceed as follows: 

— We extract from the static definition of a predicate the general ‘template’ of a 
legal assumption. 

~ We require dynamic assumptions to conform to this template. 

We thus introduce the notion of schema satisfaction, which uses the following data 
structure: a context schema abstracts over all possible instantiations of a context 
during execution. To account for that, we introduce a quantifier-like operator, say 
SOME (p .V, which takes a clause and existentially bounds its free variables, if any, 
i.e. = FV{T>). The double bar ‘||’, not to be confused with the BNF ‘|’ that we 
informally use in the meta-language, denotes schema alternatives, while ‘o’ stands 
for the empty context schema. 

Contexts Schemata S ::= o | 5||(T; SOME ^ .2?) 

The linear predicate yields this (degenerate) example of context schema: 



Clinear — ^ \ Clinear'^^-^^P)linCaT{x^ \ Snjiear'^^ linx 
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We extract a context schema by collecting all negative occurrences in a goal; this 
is achieved by simulating execution until an atomic goal is reached and the current 
list of parameters and assumptions is returned, with their correct existential binding. 
Different clauses may contribute different schema alternatives for a given predicate 
definition. A run-time context consists of a set of blocks, each of which is an instance 
of the context schema, for example: 



yi'.exp, y2-exp, xp-exp-, T Hnx A T u^x A linear{xi) 

We will need to disambiguate blocks in run-time contexts; overlapping may indeed 
happen when the alternatives in a context schema are not disjoint. Intuitively, a 
block is complete when an atomic conclusion is reached during the deduction. Any 
bracketing convention will do: 

\yi:exp'], \y2'.exp'], |"xi:exp]; \Tunx^ A \T unx^ A \linear{xi)~\ 

We then define when a formula satisfies a schema. We start by saying that a com- 
pleted block belongs to a schema when the block is an alphabetic variant of some 
instantiation of one of the alternatives of the schema. Then, the empty run-time 
context is an instance of every schema. Secondly, if F' and T>' are completed blocks 
which belong to S, and F;T> in an instance of S, then {F, {V A \F>'^) is an 

instance of S, provided that T>' is a valid clause. The latter holds when each of its 
subgoals satisfies the schema. This is achieved by mimicking the construction on the 
run-time schema until in the base case we check whether the resulting context is an 
instance of the given schema. 

We can prove that if a context schema is extracted from a program, then any 
instance of the latter satisfies the former. Moreover, execution preserves contexts, 
i.e. every subgoal which arises in any given successful or failed (immediate and non- 
immediate) sub-derivation satisfies the context schema. See ^ 3 ] for the formal devel- 
opment . 



4 Clause Complementation 

We restrict ourselves to programs with: 

— Goals where every assumption is parametric, i.e. it is in the scope of a positive 
occurrence of a universal quantifier and the corresponding parameter occurs in 
head position in the assumption. 

— Clauses Q ^ G such that the head of every term in Q is rigid. 

Note that the rigidity restriction applies only to non-Horn predicate definitions and 
can be significantly relaxed; see H3| for a detailed account. 

The first ingredient is higher-order pattern complement, Not(M), investigated 
in the general case in ini; we give here the rules for complementing fully applied 
patterns: 
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Not__FZx 

r h Not(£; ^ 0 

r,x:A Not(M) ^ N : B 

Not-Lam 

r\-Not{Xx:A. M) ^ Xx-.A.N ■. A^ B 

g ^ XJ U B, g ' Ai — ^ . . . — ^ Am — ^ cl, xn ^ 0 , h ^ g 

Not_App^ 

r h Not(/i M„) ^ g {ZiB) . . . (ZmB) : a 

3 i : 1 < i < n B \- Not(Mi) N : 

N ot- App^ 

B h Not{h Mr,) ^ h (ZiB) . . . {Zi-iB) N (Zi+iB) . . . (Zr,B) : a 

where the Z's are fresh variables which may depend on the domain of -T, h G SUB, 
and BG h: Ai ^ ^ An^ a. TG Not(M) = J\f : A iS Af = {N \ B G Not(M) ^ 

N : A}. For example: 

• h Not(Aa: . x) = {Ax . lam{Xy . E x y),Xx . app {Ei x) {E2 x)} 

If we write B \- M G \\N\\ : A when M is a ground instance of a pattern N at type 
A, we can show that Not behaves as the complement on sets of ground terms, i.e. 

1 . (Exclusivity) Not {B G M G ||A^|| : A and B G M G ||Not(A^)|| : A). 

2 . (Exhaustivity) Either BG M G ||fV|| \ A oy B G M G ||Not(N)|| : A. 

Complementing goals is immediate: we just put the latter in negation normal 
form, respecting the operational semantics of failure. 

NotoT Note -L NotcAt 

NotG(T)=_L Notc(-L) = T NotG(Q) = -0 

Not = Not 7^ 

NotG(Afn = Nn) = {M„ 7^ N„) NotG(Mn 7^ N„) = {M„ = Nn) 

NotG(G)=G' NotG(G) = G' 

NotGV NotG — > 

NotG(Vx:A.G) = Vx:A.G' NotG(D G) = D ^ G' 

NotG(Gi) = G'i NotG(G2) = G2 

NotA 

NotG(Gi AG2) = G'l VG2 

NotG(Gi) = Gj NotG(G2) = Gi 

Notv 

NotG(Gi VG2) = G'l AG2 

Clause complementation is instead more delicate: given a rule q Mn G- G, its 
complement must contain a ‘factual’ part motivating failure due to clash with the 
head; the remainder NotG(G) expresses failure in the body, if any. Clause comple- 
mentation must discriminate whether (the head of) a rule belongs to the static or 
dynamic definition of a predicate. In the first case all the relevant information is 
already present in the head of the clause and we can use the term complementation 
algorithm. This is accomplished by the rule NoId — >■, where a set of negative facts 
is built via term complementation Not(M„), namely Alv;feNot(M;r) ^ T), 
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whose fresh free variables are universally closed; moreover the negative counterpart 
of the source clause is obtained via complementation of the body. The original quan- 
tification is retained thanks to rule NotoV. 

NotoT NotD -L 

NotD(T)=_L NotD(-L) = T 

NotG(G) = G' 

Noto t— 

NotD(g m; ^ G) = ( /\ V(-.(g ]^) ^ T)) G') 

ivLeNot(Mk) 

NotD(D) = D' 

NotoV 

NotD(Vx:A D)=yx:A. D' 

NotD(L'i) = D[ NotD(D 2 ) = D'^ 

NotA 

Notn(Zli A D2) ~ V D2 

NotD(L>i) = D[ NotD(L>2) = D'2 

Notv 

NotD(L?i V D2) = D'i a D'2 

Otherwise, we can think of the complement of an atomic assumption 
{q M 1 ...X ...Mn), which is by definition parametric in some x, as static clause 
complementation w.r.t. x, i.e. NotD(<7a; . . . Mi_i . . . M„). However, most of 

those Mi, which at compile-time are variables, will be instantiated at run-time: there- 
fore it would be incorrect to compute their complement as empty. Since we cannot 
foresee this instantiation, we achieve clause complementation via the introduction of 
disequations. This is realized by the judgment T h Noto;(D). We need the follow- 
ing notion: a parameter x\a is relevant to a predicate symbol q (denoted xR'q) if 
S{q) = Hi —>••••—>• —>• o and for some 1 < i < n the target type of Ai is a. 

NotaT 

r h Nota(T,) = A ( A No4(T,)) 

xGdom(r) xR}q 

NotG(G) = G' 

Nota <— 

rhNotQ(Q^G) = ( A (A NotUQ))) A (-.Q ^ G') 

x£dom(r) xR^q 

Both rules refer to an auxiliary judgment Not^(D): 

D{q) = Hi — >■ • • • — y An — >■ o • h $h[x, Hi) = Cx 

^ Notj,T 

NotL(T,) =VZi:Hi. ...V2„:H„.^(g ZiJ^T 

Di^q') — Hi — y • • • — y An — y o • \~ sh{x, Hi) = Cx 

NotxAt 

No 4 (gMC)= A {yZi-.Ai. ...yZn-.An.^{qWj^Mi^Zj) 



The idea is to: 
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— Pivot on x:a € F. 

— Locate a type Ai such that x:a is relevant to q at i. 

— Complement D w.r.t. x and i. 

— Repeat for every Ai and for every x. 

The rest of the rules for F h NotQ,(Z?) are completely analogous to the ones for 
NotD(-D) and are omitted. Both simply recur on the program respecting the duality 
of conjunction and disjunction w.r.t. negation. Notice the different treatment of the 
trivial clause T by rules NotoT and NotaT : if no parameter has been assumed, then 
T truly stands for the empty predicate definition and its complement is the universal 
definition _L. If, on the other hand F is not empty, it means that T q has been intro- 
duced during the T -normalization preprocessing phase and has been localized to the 
predicate q. The rule Not^T allows to build a new negative assumption w.r.t. q,x,i 
in case Tq is the only dynamic definition of q. As T q carries no information at all con- 
cerning q, the most general negative assumption is added; the notation abridges 
Z\ . . . Zi-\ €x Zij^x . . . Zni where the Z’s are fresh logic variables and e^, is a term 
built prefixing a parameter x by an appropriate number of lambda’s, according to 
the type of its position; this is specified by the F h sh{x,A) judgment, omitted here 
(but see it in action in Example Q). 

Now that we have discussed how to perform clause, assumption and goal com- 
plementation, we synchronize them together in a phase we call augmentation, which 
simply inserts the correct assumption complementation into a goal and in turn into 
a clause. This is achieved by a judgment T;T> augj^{D), again omitted here for 
reasons of space. 

Example F Consider the copy clause on A-terms: 

cplam : copy {lam E) {lam F) 

^ {\/x:exp. copy x x ^ copy {E x) {F x)). 

The augmentation procedure collects x:exp; copy x x and calls x:exp h NotQ,(copy x x). 
First Not® {copy x x) = (VE' : exp. -•copy E' x ^ x ^ E'), secondly Not^ {copy x x) = 
{\/F' :exp. -•copy x F' ^ x ^ F'), yielding: 

aug-o{cplam) : copy {lam E) {lam F) 

■<— {\fx:exp. 

(VE' : exp. -•copy E' x x ^ E') A 

(VF' : exp. -•copy x F' x ^ F') ^ 

{copy x X ^ copy {E x) {F a:))). 

Let us see how rule Not^T enters the picture; recall the normalized linxlm clause. 
From • h sh{y, exp — >■ exp) = Xx .y we have Not^(T n^x) = -•Unx {\x . y): 

augn{linxlam) : Unx {Xx.lam{Xy.E x y)) 

■<r- {'iy: exp. -•Unx {Xx.y) — >■ Unx {Xx.E x y)). 
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Let us apply the complement algorithm to the linx predicate definition: 
Notu{def{linx)) = 

'HotYi{Unxx) V Noto{linxapl) V l^otu {linxap 2 ) V NotD(^wx/m) = 

{-ilinx{\x . app (_Ei x) (E2 x)) A -ilinx{Xx . lam{Xy . {E x y)))) V 
{-ilinx{Xx . x) A -ilinx{Xx . lam{Xy . {E x y))) 

A -ilinx(Xx . app [Ei x) {E2 x)) t— strict{Xx . E2 x) 

A -tlinx{Xx . app {Ei x) {E2 x)) <— ~'linx{Xx . Ei x)) V 
{-ilinx{Xx . x) A ~'linx{Xx . lam{Xy . {E x y))) 

A ~'linx{Xx . app [Ei x) {E2 x)) •<— strict{Xx . Ei x) 

A ~^linx{Xx . app [Ei x) {E2 x)) •<— ~'linx{Xx . E2 x)) V 
{-ilinx{Xx . x) A -ilinx{Xx . app {Ei x) {E2 x)) 

A -ilinx{Xx . lam{Xy .{Exy)))-^ (Vy : exp. -ilinx{Xx . y) — >■ -<linx{Xx . E x y))). 

The strict predicate is simply the complement of the vac predicate previously 
introduced. Again, these annotations can be internalized in the strict type theory 
described in na- 

We can now establish exclusivity and exhaustivity of clause complementation. Let 
NotD(P) 

Theorem 1 (Exclusivity). For every run-time eontext r;T> instance of a schema 
S extracted from an augmented program V: 

1. It is not the case that r\'D\--p G and NotG(G). 

2. It is not the case that r^VV^-p {V AT>)^Q and F;T> hp- {V~ AT>)^-<Q. 

Proof. (Sketch) By mutual induction on the structure of the derivation of T; 2? hp G 
and F;I) \-p {fP A V)^Q. The proof goes through as there is no ‘bad’ interaction 
between the static and dynamic definition of a predicate; namely there is no overlap 
between a clause from V and from T> since in every atomic assumption there must be 
an occurrence of an eigenvariable and every corresponding term in a program clause 
head must start with a constructor. If both clauses are dynamic, it holds because 
an appropriate disequation is present; this approximates what happens in the static 
case, which is based on term exclusivity. 

The denial system comes in handy in the following proof. 

Theorem 2 (Exhaustivity). For every substitution 9, a and run-time context 
F; [O]!) instance of a schema S extracted from an augmented program V: 

1. If for all 9 F] [9\D \/p [9]G, then there is a a such that T; [a\D hp- [cr]NotG(G). 

2.1 If, for all 9 F;[9]T> \fp [0]P»[0]Q, then here is a a such that F;[a]T> hp- 

[cr]NotD (T>) » [cr]-'Q- 

2.2 If, for all 9 F-,[9]T> l/p [9\Dy>[9]Q, then here is a a such that F-,[a]T> hp- 
[cr]Noto;(L))»[CT]-'(3. 
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The proof is by mutual induction on the structure of the given derivations. As a 
corollary, we are guaranteed that clause complementation satisfies the boolean rules 
of negation. 

Finally, we show how to eliminate from clauses the ‘V’ operator stemming from 
the complementation of conjunctions, while preserving provability; this will recover 
uniformity in proof-search. 

The key observation is that in this context ‘V’ can be restricted to a program 
constructor inside a predicate definition; therefore it can be eliminated by simulating 
unification in the definition, that is {Qi ^ Gi) V {Q2 ^ G2) = 0 {Qi ^ Gi A G2), 
where 9 = mgu{Qi,Q2). 

However, the (strict) higher-order unification problem is quite complex, even more 
so due to the mixed quantifier structure of HHF ; since we have already parameter 
(dis)equations introduced by the augmentation procedure, as well as variable- variable 
(dis)equations stemming from left-linearization, we first compile clauses in an inter- 
mediate language which keeps the unification problems explicit and then we perform 
constraint simplification as in Twelf. Continuing with our example and simplifying 
the constraints: 



l^otu{linxx) V Noti){linxapl) = 

-<linx{Xx . app {Ei x) {E2 x)) ^ strict{\x . E2 x) A 
-<linx{Xx . app (Ei x) {E2 a;)) ^ ~'linx(Xx . Ei x) A 
-<linx{Xx . lam{Xy . E x y)). 

The final definition of -ilinear and in turn -ilinx is: 

->linapp : ->linear{app E\ E2) 

•«— ->linear{Ei) V ->linear{E2) ■ 

->linlaml : ->linear{lam{Xx . E x)) 

<— ->linx{Xx . E x) 

V {\/y:exp. {~<linx{Xx . y) A linearly)) — >■ -<linear{E y)). 

->linxapO : ->linx{Xx . app {E\ x) {E2 x)) ^ strict{Xx . E\ x) A strict{Xx . E2 x). 

->linxapl : ~<linx{Xx . app {Ei x) {E2 x)) ^ ~<linx{Xx .Ei x) A strict{Xx . E2 x). 

->linxap 2 : ->linx{Xx . app {Ei x) {E2 x)) ^ ~<linx{Xx . E2 x) A strict{Xx .Ei x). 

-<linxap 3 : ->linx{Xx . app {E\ x) {E2 x)) ^ ->linx{Xx . Ei x) A ->linx{Xx . E2 x). 

->linxlm : ->linx{Xx . lam{Xy . E x y)) 

•<— (Vy : exp. -ilinx{Xx . y) -A ->linx{Xx . E x y)). 

5 Conclusions and Future Work 

We have presented elimination of negation in a fragment of higher-order HHF ; our 
next task is to overcome some of the current restrictions, to begin with the extension 
to any order, which requires a more refined notion of context. The issue of local 
variables is instead more challenging. The proposal in |Q is not satisfactory and robust 
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enough to carry over to logical frameworks with intensional universal quantification. 
Our approach will be again to synthesize a HHF definition for the clauses with local 
variables which during the transformations has became extensionally quantified. Our 
final goal is to achieve negation elimination in LF. 
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Abstract. This paper introduces a model of IMLAL, the intuitionistic 
multiplicative (® — ° § ! )-fragment of Light Affine Logic, based on games 
and discreet strategies. We define a generalized notion of threads, so that 
a play of a game (of depth k) may be regarded as a number of interwoven 
threads (of depths ranging from 1 to k). To constrain the way threads 
communicate with each other, we organize them into networks at each 
depth (up to k), in accord with a protocol: 

• A network comprises an O-thread (which can only be created by O) 
and finitely many P-threads (which can only be created by P). 

• A network whose O-thread arises from a ! -game can have at most 
one P-thread which must also arise from a ! -game. 

• No thread can belong to more than one network. 

• Only O can switch between networks, and only P can switch between 
threads within the same network. 

Strategies that comply with the protocol are called discreet, and they give 
rise to a fully complete model of IMLAL. Since IMLAL has a polytime 
cut-elimination procedure, the model gives a basis for a denotational- 
semantic characterization of PTIME. 

Keywords: Game Semantics, Linear Logic, Complexity, PTIME. 



1 Introduction 

Light Linear Logic (LLL) P] has a polytime cut-elimination procedure and can 
encode all polytime numeric functions. In Girard’s words, it is an “intrinsically 
polytime system” whose proofs may be regarded as (representations of) poly- 
time algorithms. An intuitionistic affine variant of the Logic has recently been 
introduced by Asperti [3 • The system, called IMLAL2 (Second-order Intuition- 
istic Multiplicative Light Affine Logic), is arguably simpler than LLL, and yet 
gives the same characterization of PTIME. 

Our goal is to give a denotational characterization of PTIME by constructing 
a good game model of proofs (not just provability) of such light logics as LLL 
or IMLAL. This seems a non-trivial task: the only model of a light logic known 

* On leave from Nicholas Copernicus University, Toruh, Poland. 

** Webpage: http://www.comlab.ox.ac.uk/oucl/work/luke.ong.html 

P. Clote and H. Schwichtenberg (Eds.): CSL 2000, LNCS 1862, pp. 427-|443 2000. 
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to us is one of provability, and is based on a fibred system of phase spaces j^- 
The main result therein is a strong completeness theore ml]: if a formula is valid 
(i.e. every valuation in any fibred phase space validates it) then it is provable. 
For modelling proofs, an appropriate criterion to aim for is full completeness Q, 
which is best formulated in terms of a categorical model of the logic, in which 
formulas are denoted by objects and proofs by maps. We say that the model C 
is fully eomplete just in case the unique functor from the relevant free category 
(typically the classifying category of the logic or type theory) to C is full. In this 
paper, we take the first step towards a denotational-semantic characterization 
of PTIME by presenting a fully complete model for the quantifier- free IMLAL. 

One way to approach our model is to start from the AJM games in | 2 |, 
and consider total, history-free strategies that are f^-reflexive (~ is a partial 
equivalence relation that relates strategies which have “equivalent responses at 
equivalent positions” ) . Thus a play of a shriek game ! A may be viewed as a 
number of interwoven threads of A. The whisper game § A of light logic is a 
degenerate form of ! A; a play of § A consists of only one thread of A. We 
introduce a generalized notion of threads at each depth i, called i-threads. To 
constrain the way threads communicate with each other, we organize threads 
into networks at each depth, in accord with a protocol. P-strategies that comply 
with the protocol are called discreet (to underline the property that P only 
“communicates” within a network) . We can show from first principles that such 
strategies compose, and they give rise to a fully complete model of IMLAL. We 
refer the reader to the protocol (as presented in the framed box) in Section 21 
and illustrate it with an example. 

Example 1 . Consider the two-player game of a valid sequent in Figure ^ and the 
twelve-move play which switches between the subgames as indicated therein (we 
use P and O to indicate which player has made the move). The play has two 
networks. Threads of the first network are contained in dashed shapes in Figure^ 
they are the O-threac 0 mimi2, and two P-threads, namely, m2m^mQmn and 
77147715. Threads of the second network are contained in dotted shapes in the 
Figure; they are the 0 -thread 777777710 and the P-thread msmg. Protocol (p 2 ) 
says that whenever O starts a new (O-)thread (e.g. with 7777 but not m3), a 
new network is created. Protocol (p 5 ) requires that only O may switch from one 
network to another existing network (e.g. from tttio to mn), but only P may 
switch from one thread to another existing thread within the same network (e.g. 
from 7775 to 7775). 

Now by replacing the formula on the right of the turnstile by § (i? ^ A), 
we get an invalid sequent. Consider the play that moves between the subgames, 
following exactly the same pattern of the preceding play. Note that the corre- 
sponding 7778 violates protocol (p 5 ) as it is a case of P attempting to switch back 
to the first network. 



^ The result is for a slight variant of LLL that has a § -operator which is not self-dual. 
^ For the purpose here, an O-thread is just a thread beginning with an 0-move. 
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Fig. 1. Networks of (threads of) a play 



To the best of our knowledge, the construction presented here is the first 
model of a system of light logic proofs. Our main contribution is a semantic 
analysis of the two crucial connectives ! and § . We could have worked on a 
model for LLL instead but decided on the intuitionistic affine system because it 
is a simpler (but perfectly adequate) setting to explain our ideas. We believe we 
can extend discreet games to model multiplicative LLL without difficulty: games 
for the classical system (i.e. extended by involutive negation) can be obtained 
by admitting positions that begin with P-moves; weakening can be invalidated 
by either introducing fairness [51 at the level of positions or exhaustion |5| at 
the level of strategies. 



Intuitionistic Multiplicative Light Affine Logic (IMLAL) formulas are generated 
from atoms a, 6, c, • • • by the connectives 0, —o, § (read “whisper”) and ! (read 
“shriek”). Affine here means that the weakening rule is valid. We let F, A range 
over finite sequences of IMLAL formulas. The valid IMLAL sequents are defined 
by the rules in Figure El The two main results are: 

Theorem 1 (Girard, Asperti). 

1. Cut elimination in a proof p of F \- A can be done in time proportional to 
IpP where d is the depth of ^ F —o A and \p\ is the size of p. 

2. All FTIME numeric functions can be encoded in IMLAL2, the second-order 

extension of IMLAL. □ 

Unfortunately we do not have the space to say anything more about the 
Theorem other than to direct the reader to the main references for proofs 

and examples. The following properties of the modalities ! and § , which are the 
essence of light logics, are worth emphasizing: 



2 IMLAL 
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(wk) 

(0-1) 



(— 1 ) 



(!o) 



(§o) 

(§) 



a \- a 




(exch) 


P,A,B,A h G 




P,B,A,A h G 
\A,\A,P h G 


P 'r B 


(contr) 


P,A\- B 




\A,P h G 


A,B,P h G 
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P A A 'g B 


A®B,P h G 




P, A \- A® B 


P 'r A B,A 


h G 


(-^-r) 


P,A'r B 


A^B,P,A h 
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P 'r A^B 


h A 




(!) 


A 'g B 


h lA 




\A h \B 


h A 
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r h A A, A h B 


h §A 




P,A h B 


j4i , * * * , 5 




h G k + l>0 




■,%Bi h 


§G 



Fig. 2. The rules defining valid IMLAL sequents 



1. ! is not a comonad: I A A and !A F ]\A, but we have duplication 
\A h lA^lA 

2. § is a degenerate or neutral form of ! i.e. we have ! A h § A 

3. § A 0 § B h § (A 0 B) but ! A 0 ! B F ! (A 0 B). 

3 Games and Strategies 

We consider two-player games between P (Proponent) and O (Opponent). Every 
play is started by O (this paper is concerned only with the intuitionistic frag- 
ment), and thereafter it alternates between P and O. Formally a game G is a 
three-tuple (Mg,Xg,Pg) where 

— Mg is a set of moves 

~ Xg ■ Mg — >■ {0,P} partitions moves into those that O can make or O- 
moves, and those that P can make or P-moves (we will write Mq, Mq for 
the set of 0-moves and P-moves of G respectively) 

— Pg is a prefix-closed set of finite alternating sequences of moves from Mg, 
each beginning with an 0-move; we call elements of Pg positions or plays. 

For example ( 0, 0, { e } ) (where e is the empty sequence) is a game, which we 
call the empty game. We interpret atomic formulas a as single-move games G^, 
which we also call atomic, defined as Ga = ( { a }, { (a, O) }, { e, a } ). In a game 
context, a is called a token. In the following we shall abuse notation and often 
write Ga simply as a when it is clear from the context what we mean (e.g. we 
abbreviate Ga — ° Ga to a —o a). 
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We construct new games from old using standard game constructions. We 
write s I" A to mean the subsequence of s consisting only of moves from A, and 
define P = O and O = P. For a game G, we write M® to mean the set of finite 
alternating sequences of moves from Mq- The first two, tensor games A® B 
and linear function space games A ^ B, are standard. For @ = G) and —o, 
we have 

Ma@b = Ma + Mb 

Pa@b = { s G ^a@b I ® t ^ ^ PA^ s \ B G Pb } 

where Xa(s,b is defined to be the canonical map [A^, A^] : Ma + Mb — >■ {P,0}, 
and Xa^b = [Aa> As]. Note that it is a consequence of the definition that every 
s G Pa®b satisfies the 0-Switching Condition: for each pair of consecutive moves 
mm' in s, if m and m' are from different components (i.e. one is from A the other 
from B), then m' is an 0 -move. Similarly it follows that every s G Pa^b satisfies 
the P-Switching Condition i.e. only P can switch component. 

The next two constructions, which we call box constructions, are related. 
The idea is that a play of a shriek game ! A consists of a number of interwoven 
“threads ”0 (or plays) of A, each is tagged explicitly by a number. The whisper 
game § A is a degenerate form of ! A in the sense that a play consists of just one 
thread, which is tagged by *. 

Shriek games ! A Whisper games § A 

M, ^ = Ma X IN M^^ = Max {*} 

Ai ^(m, i) = XA{m) Ag ^(m, *) = XA{m) 

PlA = {s& I Vz G IN.s r » e Pa} P^^ = {sG M®^ \ G Pa} 

where s ( z is the sequence of A-moves obtained first by projecting s onto the 
subsequence consisting of pairs whose second component is i, and then by taking 
the respective first projection of each pair; and where 7 t)‘(s) is the sequence of 
A-moves obtained from s by taking the respective first projection of each pair. 

A deterministic P-strategy, or simply strategy, for a game G is a non-empty, 
prefix-closed subset a of Pq satisfying: (i) for any even-length s, if s G ct and 
sm G Pg then sm G a, and (ii) (determinacy) if even-length sm and sm' are 
both in (T, then m = m' . We say that a is history-free if there is a partial function 
/ : Mq Mq such that for any odd-length sm G a, we have smm' G cr if and 
only if /(to) is defined and equal to m'; we write a = aj just in case / is the least 
such function. Further it is said to be injective history-free if the least such / 
is injective. If for every odd-length s G a, there is some to such that sm G a, we 
say that a is total. For any games Ai, A2 and A3 we define £(Ai, A2, A3) to be 
the set of finite sequences s of moves from Ma^ + Ma^ + Ma,) such that for any 
pair of consecutive moves mm' in s, if to G Ma^ and to' G Maj then |z — jj ^ 1 . 
(We call £(Ai,A 2,A3) the set of interaction sequences over (Ai,A2,A3).) 
Take strategies a and r for games A ^ B and B ^ C respectively. We define 



® In Section 0 we give a formal definition of a generalized notion of threads. 
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the composite a ; t of a and r as: 

cr ; r = { s f {A, C) : s G C{A, B,C) A s f (A, B) G a A s f (B, C) G t}. 

This is the standard notion of composition of strategies. Games and strategies 
(maps from A to i? are strategies of A ^ i?) form a symmetric monoidal closed 
category; the category whose maps are injective history-free strategies forms a 
subcategory. All this is standard (see e.g. 

Important Notation. The moves of a tensor game are just the disjoint union 
of the moves of the respective component games, similarly for function space 
games. For technical convenience, we fix representations of moves specific to the 
two constructions 

Ma^b = Ma X { Z } U Mb x { r } 

Ma^b = Ma X { L } U Mb x { i? } 

We call free games those that are constructed from atomic games. We empha- 
size that from now on, by games we shall mean free games. A move of a free 
game has the form 

m = ((• • • {{a,in)An-i) ■ ■ OAi) 

where a is a token and each ij ranges over IN U { ★, /, r, L, i? }. For convenience, 
we shall write the move as a pair (a, • • • fi), and call the second component 

its occurrence. Let ir^ “ ' Vi be the subsequence of in - ■ - ii consisting only of 
numbers and *. We define the depth of the move m to be d, the index at depth 
j, or j -index, to be the sequence VjAj-i ’ ’ • * 3 * 2 * 1 ; and the token to be a. For 
example, the 1-index, 2-index and 3-index of the move (a, 2r*Ll33Il) are 3i?, 33i? 
and aL133R respectively. We say that a subgame A of a game G occurs at depth 
J if A is in the scope of i box constructors. A game is said to have depth k just in 
case k is the maximum depth of all its subgames. (It is straightforward to show 
that k is equal to the maximum depth of its moves.) We say that a strategy a 
for a free game is token-reflecting if for any even-length smm' G a, m and m' 
have the same token. 

Example 2. Consider the game ! (! a 0 ! 6) ^ ! § a (which, qua formula, is prov- 
able); {a,-k3R){a, 215L) and (a,*3i?)(6, lr4L) are positions of the game. Observe 
that the occurrence of a move may be read as a path by which its token can be 
reached from outside-in. 

It is straightforward to show that IMLAL proofs are denoted by token- 
reflecting, injective history-free, total strategies. Indeed these properties are 
enough to characterize denotations of proofs of the (0, ^)-fragment of Intu- 
itionistic Multiplicative Affine Logic, which we abbreviate to IMAL. (Valid IMAL 
sequents are those defined by the first eight rules in Figure El) 

Theorem 2 (Full Completeness). For any free game given by an IMAL- 
sequent EGA, and for any IMAL- winning (i.e. token-reflecting, injective 
history-free, total) strategy a for the game, there is a derivation of E G A 
whose denotation is a. □ 
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(A proof of the Theorem can be extracted from |H|.) 

However, to characterize IMLAL proofs, among other conditions, we require 
strategies to act uniformly on threads, as the next example illustrates. 

Example 3. Consider the game ! a C) ! a ^ ! a; the strategy defined by the func- 
tion /: for n G IN 

^ ^ f {a,{2n)R) 1 -^ {a,nlL) 

(a, (2n -I- l)i?) I— >■ (a, nrL) 

is not the denotation of any proof of the corresponding sequent (there are in fact 
only two proofs). 

Thread uniformity and w-reflexivity. In order to cut the strategies down 
to size, we use a partial equivalence relation k. over strategies introduced in 
P). First we define a fv-game G to be a four-tuple {Mq, Xq, Pg,^g) where 
( Mg, Xg, Pg ) is a game, and is an equivalence relation on Pg satisfying: 

— sa tb ^ s t 

— sKiGt ^ Xq{s) = Ag(t) 

— s ~G t A sa G Pg => e MG-tb G Pg A sa ~g tb. 

We extend the four game constructions introduced earlier to their respective ~- 
game constructions. For @ = G) or — o, we have s t just in case s \ A 

t t A, s ( B Kig t \ B and 7T2(si) = 7T2(ti), for each i, where Si denotes the i-th 
move of s. For whisper games § A, we have s t if 7'‘*(s) For shriek 

games ! A, we have s ^ t if 

3a G 5'(IN).Vi G IN.s \ i t \ a{i) A o:*{tt 2 {s)) = 

where S'(IN) is the collection of permutations of IN. The equivalence relation Rig 
extends to a partial equivalence relation over strategies of G: a r^g t holds just 
in case for all s G tr, t G t, sa G Pg, tc G Pg, if sa r^g tc then the following 
bisimulation-style properties hold: 

— sab G a => 3d G Mg - ted G t A sab r^g ted 

— ted G T 36 G MG-sab G a A sab p^g ted. 

The strategies that we are interested in are those a that are ^.-reflexive 
i.e. cr R:i cr; we write the partial equivalence class of a as [a]. The intuition is 
that such strategies “behave equivalently at equivalent positions”. For instance 
two threads of a shriek game ! A that have equivalent underlying A-positions, 
but tagged by different numbers, are equivalent. Thus we reject the strategy ct/ 
in Example El its response at even-numbered threads is different from that at 
equivalent but odd-numbered threads); see Example El for another illustration of 
the effect of Ri. 

It turns out that k, is preserved by composition, so that games, with maps 
from A to i? given by k,a^b partial equivalence classes of injective history-free 
strategies of A ^ B, form a symmetric monoidal closed category (see [2j). From 
now on, by games we shall mean Pi-reflexive free games. 
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4 Network Protocol and Discreet Strategies 

In this section we introduce the network protocol and consider the strategies 
that comply with it. First we need to formalize a generalized notion of threads 
of a game. Fix a free game G of depth k. By an i-index of G, we mean the t-index 
of some move of G (so i ^ k). Threads of depth i, or simply i-threads, of G are 
named by z-indices of G. A thread named by 6 is the set of moves of G whose 
z-index is 9. (We start counting from outside-in, so that the outermost thread 
is at depth 1.) An z-thread named by 9 is said to be a P-thread if there are an 
odd number of occurrences of L in 0 , otherwise it is said to be an O-thread-, if 
the leftmost symbol of the index 0 is a number we say the z-thread is of ! -type, 
otherwise the thread is of ^-type. 

Remark 1. (i) For any game G, we write Tq ^ (respectively Tq f) for the set of 
P-threads (respectively 0-threads) of G at depth z. We shall omit the subscript 
z whenever we can get away with it. For any A and B it is easy to see that 

T^^B=T^ + Tg T2 ^b=T2 + TE Tj^-T^xIN 

'T'P C=! 'T'O _i_ 'T'P T'P C=; 'T'P _i_ T'P T' C=! 

(a) We shall often analyse a play s by considering its subsequence consisting 
of moves belonging to a given z-thread. We call that subsequence the i-thread 
of the play s. (Thus i-thread of a game is a set, and i-thread of a play is a 
sequence, of moves.) 

(Hi) It is straightforward to prove, by induction on the structure of the game, 
that any O-thread (respectively P-thread) of a play must begin with an 0-move 
(respectively P-move). 



Example Consider the game ! ! (a ^ a) ^ ! ! (a ^ a) and the play 

(a,R4lR) (a,R32L) (a,LS2L) (a,R92L) (a,L92L) {a, MIR) 

which we refer to as nzi • • • mg in the picture (where only the respective numeric 
subsequences of the six occurrences are shown) 





!! (a ^ 


a) -<■ 


! ! (a ^ a) 


mi 






41 


m 2 




32 




m 3 


32 






mi 




92 




TO 5 


92 






mg 






41 



The two 1-threads of the play are miuie (named by li?) and m 2 mzmjpmz (named 
by 2L); and the three 2-threads are miUiQ (named by 41A), 17121 x 13 (named by 
32L) and 1 x 141 x 15 (named by 92L). 
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A network protocol. To model IMLAL, we need to constrain the way threads 
interact or communicate with each other. A key innovation of this paper is to 
organize threads into networks in accord with a protocol. We are interested in 
plays that obey the following network protocol at every depth (up to the depth 
of G): 

(pi) A network (at depth d) comprises an 0-thread and finitely 
many P-threads (all at depth d). 

(p2) Network and Thread Creation: Only O can open a new 
network, and he does so whenever he starts a new 0-thread; 
whenever P opens a new thread in response to an 0-move from 
a network, a new P-thread is added to that network. 

(p3) ! -Network: A network whose 0-thread is of ! -type (call the 
network a ! -network) has at most one P-thread which must 
also be of ! -type. 

(p4) No thread can belong to more than one network. 

(p5) Switching Condition: Only O can switch network i.e. revisit 
one opened earlier or enter the threadless univers^ Only P 
can switch from one thread to another existing thread within 
the same network. 

“ At depth d, the threadless universe of G consists of moves of depth < d. 



In the following we motivate and illustrate the protocol rules by considering 
the game denotations of several simple IMLAL sequents. 

Example 5. (i) Take the game a —o ] a. Any opening move starts an 0-thread 
and hence a network. The only P-move of the game is from the threadless uni- 
verse, and P responding with that would violate protocol (p5). There is no total 
strategy for the game ! ! a ^ la because (p2) would be violated at depth 2; 
similarly for I a a and ! a — ° ! ! a. The preceding analysis applies in each case 
where ! is replaced by § . Thus neither of the box constructors is a comonad. 

(ii) Consider the token-reflecting strategies for the respective games denoting 
the sequents: 

h§a(g)§&^§(a(g)5) 

P§(aC)6)^§a®§6 

For the first game, it is an easy exercise to check that the positions of the token- 
reflecting strategy obey the protocol. For the second, there are two 0-threads 
(named respectively by -klR and *ri?) and the one P-thread belongs to both the 
respective networks specified by the 0-threads, thus violating (p4). 

(Hi) Consider the respective game denotations of the sequents: 



F ! a O ! 6 ^ ! (a O 6) 
h ! (a O 6) ^ ! a 0 ! 5 
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The positions (a, HR) (a, IIL) and (b, rlR) (b, IrL) belong to the token-reflecting 
total strategy for the first game. The respective first moves (a, HR) and (b, rlR) 
belong to the same 0-thread of the game, and hence, the same network, but the 
respective second moves (a, IIL) and (b, IrL) belong to different P-threads, thus 
violating (p3). The second sequent is provable in IMLAL but not in LLL. 

fivj Consider the game ! ! (a — o a) ^ ! ! (a — o a) of Example^ The play therein 
violates (p3): the ! -network at depth 2 has two P-threads. However it is easy to 
see that the formula is provable. Indeed the game has a position that complies 
with the protocol, for instance 

{a,R53R) (a,R97L) (a,L97L) (a,L53R). 

For a related example, take the game ! ! (a — o a) — o ! § (a — o o) (whose corre- 
sponding formula is provable). The play 

{a,R32L) (a,L32L) {a,R92L) (o,L92L) {a,L*lR) 

corresponds to the play in Example 0 but it complies with the protocol. 

(v) Consider the respective token-reflecting strategies for the games denoting 
the following sequents: 

(1) P (! a - ! &) ^ ! (a ^ (3) P (§ a - § 6) - § (a ^ 6) 

(2) P ! (a ^ 6) ^ (! a - ! 6) (4) P § (a ^ 6) -o (§ a ^ § 6) 

In the first and the third games, the fourth move violates protocol (p5) as it is a 
case of P attempting to switch back to the original network. In the second game, 
protocol (p3) is violated by the fourth move as P tries to open a second ! -thread 
of a ! -network. The strategy for the fourth game complies with the protocol. 

Here are some useful consequences of the network protocol. 

Lemma 1. 1. Each P-move has the same depth as the preceding 0-move. 

2. Each network at depth d -I- 1 Js embedded into a single network at d. 

3. P’s switching condition is a consequence of O’s. □ 

We leave the largely straightforward proofs as an exercise. 



Networked positions and discreet strategies. We are now in a position 
to give a formal definition of strategies that comply with the network protocol. 
We denote the set of threads of a game G by Tq, which partitions into Tq (the 
set of 0-threads) and Tq (the set of P-threads), and we write Tc i for the set 
of i-threads. We formalize the network protocol with the help of two (kinds of) 
functions. 

A thread function (at depth i) is a partial function tQ,i ■ Me Te,i that maps 
a move to the i-thread in which it occurs. Whenever the game G and depth i 
are clear from the context, we will abbreviate tG,i{m) to tm- 
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Network function (at depth i) r]G,i- We say that a partial function 



VG,i ■■ Tc.i 



rpO 

^G,i 



networks a position s G Pq of even length at depth i (with respect to tG,i) just 
in case for each odd j, tG,i{sj) is defined if and only if tG,i{sj+i) is, and if both 
are defined, one of the following holds (we drop the subscripts from r]G,i and tG,i 
whenever we safely can): 



(*) = t{Sj + l) (a) t{Sj) = T]{t{Sj+i)) 

(Hi) ri(t(sj)) = r](t(sj+i)) (iv) t(sj) = t(sj+i) 

(This is just to say that at depth i the P-move is in the same network as 
the 0-move sj: there are four cases depending on whether Sj and are in a 
P-thread or an 0-thread.) In addition, for any 0-thread if t^ is of !-type 
then the inverse image of t^ , written r]~^(t^), contains at most one thread which 
must also be of ! -type. □ 

The astute reader will notice that we have not yet captured all the protocol 
rules. What is missing is a compactness condition which is part of (pi): 
r]~^{t^) is finite for every 0-thread t^ . 

Example 6. To see why the compactness condition is desirable, consider the 
(first-order) Church numerals game (see |4l,3j for further details) 

\(a^ a) -o § (a ^ a). 

Let rjn be the (least) function that networks any fixed n-th Church numeral 
strategy (any two such n-th Church numeral strategies are ^-equivalent); and let 
t^ be the unique 0-thread of the game. It is easy to see that r]n^{P) has exactly 
n P-threads. The “infinity numeral” strategy is ruled out by the compactness 
condition. 



We say that a strategy ct on G is networked at depth i if there exists a function 
rjG,i that networks every s £ cr at depth i. Further we say that it is compactly 
networked at depth i if the compactness condition is satisfied. A strategy cr is 
said to be discreet if it is compactly networked at every depth up to the depth 
of G. 



5 A Model of IMLAL 

We are interested in token-reflecting, injective history-free, Ri-reflexive, total 
discreet strategies. To save writing, we call such strategies winning. Let G be 
the category whose objects are free games, and whose maps A — >■ B are 
partial equivalence classes of winning strategies of A ^ B. Our first task is 
to check that G, as specified by the above data, is a well-defined category - 
the main technical problem is to prove that total discreet strategies compose. 
Secondly we show that G is a model of IMLAL. 
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Total discreet strategies compose. Consider the games A, B and C and 
suppose u is an interaction sequence of two positions pi € Pa^b and P 2 S Pb^c 
which are networked by ijA^B.i and rjB^c.i respectively at a given depth i. First 
we would like to show that u t {A, C) can be networked, and that all positions 
of the composite strategy are networked by the same network function rjA^c,i- 

Notation. Fix a network function rjc- We shall write t' -<g t to mean rjait) = t' , 
so for each P-thread t there can be at most one 0-thread t' such that t and t' are 
in the same network. Our argument in the following is with respect to a fixed 
depth i. For ease of writing, we shall drop all references to the depth and omit 
the subscript i from jjA^c.ii tA^c,i etc. 

First we define the network function rjA^c- for any t^ £ Ta^c ^*^^1 t^ £ 
Ta^C’ decree that r]A^c{t^) = (i-O- t^ <a^c t^) just in case there exist 

bi, ■ ' ' ybk £ Tb such that 

t^ ^1 bi ^2 ^3 • • • ^fc-i bk-i -<k bk ^fc+i t^ (1) 

where each -<i G {^a^b,^b^c}, and for each i G {1, •••,/(:}, -<i yf ^i+i. 
(Each bi in (P) above is actually the embedding image of the S-thread in Ta^b 
or Tb^c as appropriate - see Remark^ but we stick to bi by abuse of notation.) 
Note that if and t^ are both A-threads (respectively C-threads) and t^ -<a^b 
(respectively t^ -<b^c then t^ -<a^c which is the case of fc = 0. 
Because tja^b and rjB^c are partial functions, we first observe that tja^c 
is a partial function from fo T^^c- 

Proposition 1. Take any contiguous segment momi ■ ■ ■ rnkunp of u such that 
mo £ mp £ and for i = 1, •••,&, G Mp- If mo is part 

of a thread then mo and mp are in the same network with respect to tja^c 
i.e. writing as the 0-thread of mo’s network, we have either t^ = tmp or 
t^ ^A—oC tmp • n 

Note that rjA^c has been defined only in terms of pa^b and pp^c- More- 
over, if a and r satisfy (p3), so does a ; r, because if 

^1 bi -<2 b2 ^3 ■ ■ ■ -<k-i bk-i -<k bk ^fc+i t^ 

and is a ! -thread, then by (p3) applied alternately to a and r, we deduce 
that bi, ■ ■ ■ ,bk and t^ are unique and are all ! -threads. Thus if strategies a and 
r are networked at depth i by pa^b and pb^c respectively, u ; r is networked 
by pA^c at depth i. Since the preceding argument is independent of i, we can 
conclude: 

Theorem 3. Strategies that are networked at all depths compose. □ 

By first proving the following 

Proposition 2. Suppose a \ A —o B and t \ B —o C are networked strategies. 
There exists no interaction sequence u over {A, B, C) such that for some d^ 1: 
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1. the number of (distinct) d-indices of threads occurring in u \ B is infinite 

2. the number of d-indices of 0-threads occurring in u \ A and u \ C is finite 

3. u f {A, B) G a and u f {B, C) G t. □ 

we can deduce that total compactly networked strategies compose. To summa- 
rize, we have 

Theorem 4 (Compositionality). Discrete strategies compose. □ 



G is a model of IMLAL. For any winning strategy of A ^ B defined by the 
function /, and for any TN-involution a (i.e. a is an idempotent bijection from IN 
to IN) we define a strategy of ! T ^ IB given by the function ! (/, a). Suppose 
f{m, 6) = (m', S') where S, S' G { L, B }, we define 



!(f,a) : ((m,i),S) 



f ((to', i),S') if S = S' 

\ ((to', o;(i)), (5') otherwise 



It is straightforward to show that ! (/, a) defines a winning strategy, and that 
O’! « (Tj for any INl-involution /?. Indeed ! extends to a functor G — > G. 

We leave the definition of the functor § : G — >■ G as an easy exercise. 



Proposition 3. I . § , ! : G — > G are functorial. 

2. There are canonical G-maps, natural in A and B as follows: 



P-A,B ■■%A^%B 
VA'. I A 

Aa : !A 




%{Agb) 
! A(g) ! A 



By now the reader should have no difficulty in constructing the canonical maps. 
By abuse of notation, we use p, also for the canonical map 

PL : §Ai(g)---(g)§A„ — ^ §(Ai(g)---(g)A„). 

As G is symmetric monoidal closed, and in view of the Proposition, we can say 
that G is a model of IMLAL. 



6 Full Completeness 

The section concerns a full completeness result: 

Theorem 5 (Full Completeness). For any winning strategy a for the free 
game G given by an IMLAL sequent F \- C, there is a derivation S of the 
sequent such that a is the denotation of S. □ 

In the following we sketch a proof of the Theorem. First we give two useful 
lemmas. 

Lemma 2 (Deboxing). In the category G: 
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1. For any map F : I A — > ! B there is a unique map f : A — > B sueh that 
F=]f. 

2. If the map F : ! (g) • • • (g) ! A^ 0 § Bi 0 ■ ■ ■ 0 § B^ — § C uses each 

! Ai once (in the sense that the depth-1 network of any winning strategy that 
represents F comprises one 1-thread of\Ai), then there is a unique map 

f : (g) • • • 0 Ajn 0 Bi0 ■ ■ ■ 0 Bn — >■ C 

such that F = (:/ g) • • • (g) ^ (g) id (g) • • • g) id) ; p, ; § /, where pL and v are the 

V— ^ - v 

m n 

canonical maps defined in Proposition^^ □ 

Let (T be a IMAL- winning strategy for a free game given by an IMAL-sequent 
A \- P 0 Q where A = Di, - ■ ■ , Dn-We say that a is splitting jnst in case there 
is a partition of A into (^ 1 ,^ 2 ) and IMAL-winning strategies cti and (T 2 for 
Ai \- P and A 2 Q respectively such that a = ai 0 a 2 - 

Lemma 3 (Pivot). If a is not splitting, then there is some = A —o B in A 
(which we shall call a pivot) and IMAL-winning strategies r and v for O \~ A 
and B,S h P 0 Q respectively, where (0, El) is a partition of A \ { Di}, such 
that a can be defined in terms of t and v. □ 

We prove the Theorem by induction on the size of the sequent F \- C that 
defines the free game G. W.l.o.g. we assume that no formula in T = C\, ■ ■ ■ ,Cn 
is a tensor, and every Ci is a-reachable in the sense that there is a position in a 
that contains some 0i-move. 

Step 1. Decontract at depth 1, if necessary, to get a corresponding winning 
strategy cti for Ti h 0 so that every formula in Fi is used once by cti. 

Step 2. It suffices to consider the following cases of C: 

I. C = P0Q 

II. C = DP, a box formula i.e. □ = ! or § 

III. C = a, an atom. 

For Case I, if PgQ is splitting, then split it to get two smaller instances (of a 
winning strategy for a free game). Otherwise, we transform the sequent by adding 
a fresh atom as “x — ° ” inside each box-formula from Pi and adding a copy 

of “x — o — ” of negative polarity inside the 0-box of the corresponding network. 
E.g. the sequent § c, ! (c ^ d), § (d ^ e), § e ^ ! a g) ! 6, ! c h § (c g a) g) § & is 
transformed to 

§ (x ^ c), d)), § {z^ {d^ e)), 

% {x —o (^y —o (^z —o e))) ^ \ a 0 I b,l {v —o c) h % {v ^ c0 a) 0 %b 

Call the new sequent P' h 0' and the corresponding strategy a'. Note (i) a' 
is a winning strategy; (ii) the new — o-formulas added cannot be pivots as they 
communicate with the 0-threads of their respective networks. Now consider a 
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second transformation to (say) F" h C” which is defined by “forgetting all 
the boxes” and turning it into a free IMAL-game, and call the corresponding 
strategy a" . Observe that if a" is splitting in IMAL then a' is also splitting 
in IMLAL, because all formulas in F" are ^-formulas or atoms. Suppose a" 
is not splitting in IMAL. Then by Lemma 0 there must be a pivot in F" . By 
construction of O', that pivotal — o-formula cannot occur inside a box in Fi, so 
the pivot is also a pivot for Fi h P 0 Q. With the pivot, we obtain two smaller 
instances, to which we can apply the induction hypothesis. 

For Case II, if Pi does not contain a —o-formula, then every formula in it 
must be a box- formula; we use Lemma Elto strip off the outermost boxes, and so 
obtain a smaller instance, and then apply the induction hypothesis. Otherwise, 
□P is part of some network DGi, • • • , OGi. For each G = P, Gi, • • • G;, we replace 
□G by DG O DG. E.g. the sequent c, c — ° ! 6, § (6 — ° a) h § o is transformed to 

c, c ^ (! & O ! 6), § (6 ^ a) O § (& — o a) h § a O § a 

Let a' be the corresponding strategy for the transformed game P' h OP O OP; 
a' is not splitting (because the —o-formula in F' is reachable from both OP 
on the right). This is an instance of the preceding case. Finally a similar (but 
simpler) transformation can be applied to reduce Case III to Case I. 

Further work. An obvious direction is to extend the construction to IMLAL2, 
the second-order system. Another is to check that the model is not just fully but 
also faithfully complete. We expect to prove this with respect to an appropriate 
notion of equality between IMLAL proof nets. Also worth developing is a con- 
venient syntax for IMLAL2 as a PTIME intermediate (or meta-) programming 
language. 

Acknowledgments. We are grateful to Hanno Nickau for discussions on LLL. 
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Abstract. In order to describe the real-time behaviour of programs in 
terms of Duration Calculus (DC), proposed by Zhou Chaochen, C.A.R. 
Hoare and A.P. Ravn in |2], which can specify real-time requirements of 
computing systems, quantihcations over program variables are inevitable, 
e.g. to describe local variable declaration, to declare internal channel and 
so on. So a higher-order duration calculus (HDC) is established in 0. 
This paper proves completeness of HDC on abstract domains by encod- 
ing HDC into a complete first-order two-sorted interval temporal logic 
(77/2 ). This idea is hinted by 0. All results shown in this paper are done 
under the assumption that all program variables have hnite variability. 

Keywords: duration calculus higher-order logic interval temporal 

logic completeness 



1 Introduction 

In order to describe the real-time behaviour of programs in terms of DC, quan- 
tifications over program variables are inevitable, e.g. to describe local variable 
declaration and so on. So a higher-order duration calculus is established in P|. 
In P], a real-time semantics of local variables has been demonstrated, and some 
real-time properties of programs have been derived using HDC. 

In order to specify the behaviour of real-time programs, program variables 
Vi, i > 0 are introduced into HDC. Predicates of program variables, constants, 
and global variables, such as {V < 3) and {V = a:), are taken as states. To 
axiomatise the finite variability of program variables, the infinite rule (w-rule) 
proposed in 0 is necessary, since [5| has shown that the finite variability cannot 
be axiomatised by finite rules on abstract domains. 

In programming languages, value passing involves past and future time, to 
receive an initial value from the previous statement and to pass final value to the 
next statement. The chop modality is a contracting one, and cannot express 
state properties outside the current interval. Therefore, two special functions 

* The work is partially supported by UNU/HST, and done during the author stayed 
at UNU/HST as a follow (July 1998 to August 1999). The work is also partially 
supported by the National Natural Science Foundation of China under grant No. 
69873003. 
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and firstly proposed in are introduced into HDC. The functions 
and have a domain of state t^rms and a co-domain of functions from 
the intervals to duration domain. E.g. V= 4 means that in a left neighbourhood 
of the current interval the value of V is 4. Symmetrically, V= 4 means that in 
a right neighbourhood of the current interval the value of V is 4. In order to 
axiomatise them, the neighbourhood rule is introduced in 

In both interval temporal logic jHj and duration calculi symbols are 

divided into flexible and rigid symbols (adopting the terminology of [It/j V Rigid 
symbols are intended to represent fixed, global entities. Their interpretation will 
be the same in all the intervals. Conversely, entities which may vary in different 
intervals are represented by flexible symbols. Such a distinction between two 
classes of symbols is common in the context of first order temporal logics PC!. 

Completeness of interval temporal logics and duration calculi not only de- 
pends on the choice of time domain, but also relies on which kind of variables 
are quantified. In practice, we need to choose the reals as time domain. If so, we 
cannot get completeness of these systems, for if they were, they would be ade- 
quate for arithmetic, which is impossible by Godel’s Theorem. Therefore, if we 
want to choose the reals as time domain, we can only get relative completeness 
of these systems. E.g. relative completeness of DC has been proved in If 
we only quantify over global variables, duration calculi are complete on abstract 
domains shown in . But if we introduce quantifications over program variables 
into DC, since we interpret program variables as functions from time domain to 
duration domain, no (consistent) system is complete for this semantics because 
whenever we interpret the domain of quantifiers as the set of all functions from 
time domain to duration domain, the language will have the expressive power of 
second-order arithmetic. So some restrictions on program variables are needed 
in order to work out a complete proof system, that is, that all program variables 
vary finitely is assumed. If so, we can reduce HDC to IL 2 ■ We will illustrate it 
as follows: 

A naive way to reduce the second order logic to the first order one is to 
introduce for the class of n-ary predicates, iJ"(a:i, ..., x„), a new {n + l)-ary 
predicate, ...,a;„), which has an additional argument z, and enumer- 
ates all ...,Xn)- Thus, 

could be reduced to 

3z.(j)[E^+'^{z, Xi , ..., Xn)/H'^{xi, ..., a;„)] 

Therefore the second order logic could be reduced to a first order one. Detail 
discussion about this encoding can be seen in jS]. However, in order to define 
the (n -I- l)-ary predicate we must have the following postulates, where 

we assume (n = 1) and drop the indices of n and (n -I- 1) for simplicity. Firstly, 

3z.E{z,Xi) and 3z.~'E{z,Xi) 

postulate that, for a singleton domain, E enumerates all H. Furthermore, to- 
gether with the above two formulae, the formula 

3z. {xi yf X 2 ) => (£’(z, xi) E{zi,Xi) A E{z, X 2 ) E{z 2 ,X 2 )) 
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postulates that E enumerates all H over any finite domain. Unfortunately, with 
this approach, we can never define E to enumerate all over an infinite domain. 
Hence second order predicate calculus cannot be reduced to first order one in 
this way in general. 

However, by the finite variability of program variables, given an interval, 
any program variables V can be generated by finite combination of subintervals 
of the given one, over each of which V is constantly. Hence, it is possible to 
construct a 1-ary flexible function, g(y), to enumerate all program variables by 
the postulates including 

[ ] V By.fg(y) = c] for any constant c, and 

n V 3y. lg{y) ^ g{yi)~l-Jg{y) ^ g{y 2 )~l 

In this way, 3V.(j) can be reduced to 3yv ■dc2il((p) where dc2il is a translating 
function from HDC to IL 2 defined later. A complete proof system for HDC can 
be established based on the completeness result of IL 2 ■ This idea is hinted by 

0 - 

In order to prove completeness of HDC, we will establish IL 2 , a first-order 
two-sorted interval temporal logic firstly, in which global variables and functions 
are divided into two sorts. The role of the global variables and rigid functions of 
the first sort is as usual. The global variables and functions of the second sort 
and flexible functions of the first sort are used to enumerate program variables 
and the durations of state expressions in HDC respectively so that we can encode 
HDC into IL 2 by dc2il. Of course, it is not substantial to divide global variables 
and functions into two sorts, because we can encode many-sorted logic into 
one-sorted logic by introducing some specific predicates into one-sorted logic 
to distinguish different objects in the same universe (See [B|). Completeness of 
IL 2 can be proved with the method used in m- Because we can show that the 
consistency of a set of formulae E in HDC w.r.t. the proof system of HDC implies 
the consistency of dc2il(r)Udc2il(Axiomhdc) w.r.t. IL 2 , where Axiorntdc stands 
for the set of all axiom instances for HDC, we can get a model < T,J > which 
satisfies dc2il{E) U dc2il{Axiomhdc) by completeness of IL 2 . According to the 
model < T,J >, we can construct a model < T ' > for HDC which satisfies 
E . Thus, completeness of HDC can be proved. 

We will omit the proofs for some lemmas and theorems later in order to save 
space, but their proofs can be found in m- 

2 Two-Sorted Interval Temporal Logic 

In order to prove completeness of HDC on abstract domains, we shall establish 
IL 2 and then prove its completeness on abstract domains using the method 
provided in inisi in this section. 



2.1 Syntax of IL 2 



The alphabet of IL 2 includes: 
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— An infinite set of temporal variables TVar = {vi \ i > 0}. 

— An infinite set of first sort global variables V ar^ = {xi | i > 0}. 

— An infinite set of second sort global variables Var'^ = {yi | t > 0}. 

~ A special symbol £, which stands for the length of an interval. 

— An infinite set of propositional letters P Letter = {Xi | i > 0}. 

— An infinite set of first sort function symbols FSymb^ = {/”, /i” | n > 0}. 
The distinction between /" and is that the former is rigid but the latter 
is flexible. 

— A set of second sort fiexible function symbols PSymb"^ = [g^ \ i,n,> 0}. 

— An infinite set of predicate symbols RSymb = {i?" \i,n> 0}. 

— The connectives V and 

~ The quantifier 3 and the modality ;. 

The terms of the first sort in IL 2 are defined by the following abstract syntax: 

0 ::=x \ i \ V \ /f(0i,... ,d„) I ,0„) | ,0^) 

where tti is a term of the second sort defined as follows: 

0 ::=d I y 

The formulae of IL 2 are defined inductively as follows: 

4> ::= X \ R{9i,...,0„) \ -.</> | (fVip \ (^; f/') I 3z.(/) 

where z stands for any global variable from Var^ U Var^. 

A term (formula) is called rigid if neither temporal variable, nor £, nor fiex- 
ible function symbol occurs in it; otherwise called flexible. A formula is called 
chop free, if no occurs in it. 

2.2 Semantics of IL 2 on Abstract Domains 

In this section, we give the meaning of the terms and formulae of IL 2 on abstract 
domains. 

Definition 1. A time domain is a linearly ordered set < T,<>. 

Definition 2. Given a time domain < T,<>, we can define a set of intervals 
lntv{T) = {[^ 1 ,^ 2 ] I ti,t 2 G T and ti < ^ 2 }; where [^ 1 ,^ 2 ] = {^ I ^ G 
T and ti < t < ^ 2 }- 

Definition 3. A duration domain is a system of the type < D,+,0 >, which 
satisfies the following axioms: 

(Dl) a -I- (6 -I- c) = (a -I- 6) -I- c 
(D2) a-|-0 = a = 0-|-a 

(D3) a + b = a + c^b=c, a + c=b+c^a = b 
(D4) a-|-6 = 0=^>a = 0 = & 

(D5) 3c. a 3-c = 6V&-|-c=a, 3c.c 3-a = 6Vc-|-6=a 

That is, < D,+,Q> is a totally ordered commutative group. 
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Definition 4. Given a time domain <T,<> and a duration domain <D, +, 0 >, 
a measure m is a function from T to D which satisfies the following conditions: 

(Ml) m{[tx,t2]) = 'm{[ti,t'2]) ^t2 = t '2 
(M2) m{[ti,i\) + m{[t,t 2 ]) = m{[ti,t 2 ]) 

(M3) m{[ti,t 2 ]) = a + 6 3t.m{[ti,t]) = a A {ti < t < t 2 ) 

Definition 5. A frame of IL 2 is a quadruple of « T,<>,< D,+,0 >, 
Di,m >, where < T, <> is a time domain, < D,+,Q > is a duration domain, 
Di is called inhabited domain, m is a measure. 

Definition 6. A model of IL 2 is a quintuple with type << T, <>, < D, +, 0 > 
>, where « T,<>,< D,+,0 >,Di,m > is a frame, and J is an 
interpretation of the symbols in IL 2 which satisfies the following conditions: 
J{X) G lntv{T) — >• {0,1} for every X G P Letter; J{v) G lntv{T) D for 
every v G TVar; J{Rf) G D” — >• {0,1} for every i?” G RSymb; J{ff) G 
D” — >• D for every /” G FSyndA; J{hf) G D” x lntv{T) — >• D for every 
hf G FSymb^; J{gf) G D” x lntv{T) — >• D for every gf G PSymb"^; and 
J{0) = Q,J{+) = +,J{=) is =, and J{t) = m. 



Definition 7. Let J and J' be two interpretations defined as the above. J is 
z-equivalent to J' if J and J' have same values to all symbols, but possibly z. 

Given a model of IL 2 , << T, <>, < D,+,0 >, Di,m,J >, and an interval 
[G, ^2] G Intv(T), the value of a term d or 6* can be defined as follows: 

Ju iv) = J (y) for y €V ar'^ 

Ju{x) = J{x) for X G Var^ 

Ju (■*^) = J{'v){[irA2\) for w G TV ar 

jhfnOi, = J{fn{Jt\^{0) • • • for ff G FSymb^ 

jfHhnOi,... ,0„)=J{hf){[h,t2],J*^{e)...Jt*He,,)) for hf G FSymb^ 
J7,t(gf(di,... ,z9„) = J{gmh,t2],jtif^)--.jti^n)) for 5? G FSymb^ 

Given a model Xi =< T ,J > where T =<< T, <>, < D ,+,0 >, Di,m >, 
and an interval [t\ , ^ 2 ] > the meaning of a formula (j) is explained by the following 
rules: 

1. <^,, 7 >,[ti,t 2 ] H12X mj{x){[h,t2]) = tt 

2 . <F,J >,[h,t2] Hi2R"{0i,... ,0n) iSJ{R^){Jt*f{ei),... ,Jlf{9^)) = it 

3. <T,J >, [ti,t2] \=tl2 -'(f iS < F,J >, [tl,t2] ^tl2 (j) 

4. <T,J >, [tl,t2] \=il2 4>\/ if 

iS < F,J >, [ti,t 2 ] hi/2 4> or < F,J >, [ti,t 2 ] \=^l 2 if 

5. <T,J >, [ti,t2] h»/2 (/>; if 

iS < F,J >, [ti,t] \=U 2 (f and <T,J >, [t, ^2] h//2 if for some t G [^1,^2] 

6. < F,J >, [^1,^2] hi/2 3z.(f iff < F,J' >, [^1,^2] hi/2 <f for some interpreta- 
tion J' which is z-equivalent to J 
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Satisfaction and validity can be defined in the usual way, see in]. 

The following abbreviations will be used: 

0(^ = true; {(p; true) reads: “for some sub-interval: 
np = reads: “for all sub-intervals: 

Furthermore, the standard abbreviations from predicate logic will be used. When 
- 1 , 3z, □, and O occur in formulae they have higher precedence than the binary 
connectives and the modality ;. The modality ; has higher precedence than the 
binary connectives. 

Definition 8. Let be an IL 2 formula, and let M =< > he a model of 

IL 2 , where T =<< T, <>,< D,+,0 > is the corresponding frame. 

<P is said to have the finite variability on A4 if for every C lntv{T), 

A4, [^ 1 ,^ 2 ] \=ii 2 ^ and there exist t [, ... such that ti = t'l < ... < 

t'^ = t 2 and for all i = 1, . . . , n — 1 A4, [t', \=U 2 <P is said to have finite 

variability on a class of models K if it has the property on every member of 1C. 

Definition 9. Let be an IL 2 formula. We define the sequence of formulae 
O.S follows: 

<p0 = ^ = 0, ^>'=+1 = 

For the rest of this section we will fix a set of LL 2 formulae and consider 
only LL 2 models on which (p has finite variability for every (p G SI. We will 
use K.Q to denote the class of models that satisfy the above property later. So 
the following proof system takes 17 as a parameter. Of course, all discussions 
below can be applied to an arbitrary set of LL 2 formulae 17. If 17 = 0, then the 
case is same as in 0. The finite variability of 'P means that for any interval one 
can partition the interval into finitely many subintervals such that 0(p holds for 
each of the subintervals. The axiom YLLq and rule IR'^ given below are used to 
axiomatise the finite variability of all <P G S7. 

2.3 Proof System of IL 2 with 17 

In this section, we give a sound and complete proof system of LL 2 with 17 w.r.t. 
Kq. The notation \~u2q 4^ means that cp is provable, i.e. that ^ is a theorem of 
IL 2 with 17. 

Definition 10. A term 6 is called free for x in cp if x does not occur freely in 
p within a scope of3x' or'ix' where x' is any variable occurring in 9. 

The axioms of LL 2 are: 

ITLl: £ > 0 

ttt 9- V') A if)) ^ {p-, (gP a -.:/?)) 

■ ({p] p) A -.((/j; p)) ^ {{p A -.^ 3 ); p) 

1TL3: {{p;py,(p) O {p;{p-,(p)) 

ITL4- ^ 4> if ()) is a rigid formula 

{p; p) ^ p if '0 is a rigid formula 
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ITL5: 

ITL6: 

ITL7: 

ITL8: 

ITLr? 



Ip) => ^z.{(p; ip) if z is not free in ip 

3z.ip) => 3z.{(p; ip) if z is not free in <p 

{{i = a)-,(p) -'{{i = a)-,-'(p) 

{(p; {£ = a)) -•(-•fp; = a) 

(a > 0 A b > 0) ^ ((£ = a + b) 4^ ((£ = a); (£ = b))) 
(P =4 ( 0 ; {£ = 0 )) 
cP^{{£ = Q)-p>) 

<£> ^U<P for all ^ G J7 



The inference rules of IL 2 are: 
if <p then -<{-<(p; ip) 



N: 



IR' 



M: 



if Ip then -<(ip] ~'(p) 

H{^°/X) Mk<uj.H{<^^/X) 



if (p ^ Ip then {<p-, ip) => {ip; ip) 
if (p ^ Ip then ( 1 ^; (p) => {ip; ip) 
> i7(^>'=+VX) 



i7(true/X) 



for ^ G 17 



The proof system of IL 2 with 17 also contains all axioms and rules for 
propositional logic, predicate logic, and real arithmetic, such as 



(G) : if (p then Wz.cp 



However, for the following axiom, side condition is necessary. 



(Q) : 'ix.(p{x) ^ (p{9) 



if either 6 is free for x in (p{x) and 9 is rigid 
or 9 is free for x in (p{x) and (p{x) is chop free. 



An explanation of the necessity of the side condition is given in HH. The axioms 
and rules for equality, addition, etc. in real arithmetic will not be listed here, 
but can be found in HU. 

Theorem 1 (Soundness). The proof system is sound, i.e. \~u2q implies 
'P) where \=U 2 q (p means (p is valid on every model A4 G Xa- 



Definition 11. Given a set 0 /IL 2 formulae T, if T i/ii 2 Q false, then T is called 
consistent w.r.t. the proof system 0 /IL 2 with 17, otherwise called inconsistent. 



Theorem 2 (Completeness). Given a set 0 /IL 2 formulae T. if T is consis- 
tent w.r.t. the proof system 0 /IL 2 with 17, then there exists a model A4 =<< 
T, <>, < D, +, 0 >, Di, m,J > on which <P has finite variability for every ^ G 17, 
and an interval [^ 1 ,^ 2 ] G lntv{T) such that A4, [^ 1 ,^ 2 ] \=U2q 

Proof. Using the method provided in ISE], it can be proved. See P2j. □ 



3 Higher-Order Duration Calculus 

In this section, we establish a higher-order duration calculus, which is an ex- 
tension of the original duration calculus, by introducing program variables and 
quantifications over them. 
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3.1 Syntax of HDC 

The alphabet of HDC contains all symbols of IL 2 except for the symbols of the 
second sort and the flexible function symbols of the first sort. Besides, it also 
includes an infinite set of program variables PV ar = {Vi | t > 0}. In HDC, 
all temporal variables have a special structure JS where S' is a state expression 
defined as follows: 

S ::= 0 I 1 I S 1 VS 2 I -S I ,z?„) 

where R is the characteristic function of predicate R, and . . . ,d„ are called 
state terms defined as: 

i9::= X I V | f(i9i, ... 

The terms of HDC are constructed as follows: 

9 ■.■.= x \ \ \ I I f{9i, ... ,9n) 

where v has the form f S where S is a state expression defined above, and 
and are two special functions with a domain of state terms and a codomain 
of functions from the intervals to duration domain. 

The formulae of HDC are defined inductively as follows: 

4> ::= X \ R{9i,...,0n) \ ~'4> \ 4>V ->p \ \ 3x.(p \ 3V.4> 

A state term (term or formula) is called rigid if neither program variable nor 
£ occurs in it; otherwise called flexible. 

Remark 1. We can show that a rigid state expression is also a rigid formula by 
the above definitions if we do not distinguish predicate and its characteristic 
function. For example, (x -I- 3 > 1) can be taken as a state as well as a formula 
according to the syntactic definitions above. In order to avoid confusion, when 
S is rigid, we will use <fs to stand for the rigid formula corresponding to S. 

3.2 Semantics of HDC 

In this subsection, we give the meaning of terms and formulae in HDC on abstract 
domains. HDC frames are essentially IL 2 frames too, but a slight difference is 
that there is no inhabited domain in HDC frames. 

Definition 12. A model of HDC is a quadruple with type «T,<>,<D,+,0> 
, m,I >, where « T, <>, < D, +,0 >,m > is a frame, and I is an interpre- 
tation of the symbols in HDC which satisfies the following condition: 

For every V G PVar, and every [^ 1 ,^ 2 ] G lntv{T) there exists t{, . . . ,t'„ such 
that ti = t'l < . . . < t'„ = t 2 , and for any t,t' G implies I{V){t) = 

I(V)(t'). 

This property is known as the finite variability of program variables. 
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Given a model of HDC Ai =<< T,<>,< D,+,0 >,m,Z >, the meaning 
of program variables and propositional letters is given as: I(V)T — ^ D and 
T{X) G Intv(T) — >• {ft, //} respectively. 

The semantics of a state term -d, given a model =< >, is a function 

with type T — )> D defined inductively on its structure as follows: 

I{x){t) = X{x) 

x{v){t) =Av){t) 

. . . , d„))(<) = i(r )(!(,?„) (t), . . . 



The semantics of a state expression S, given a model M. =< T ,X >, is a. 
function with type T — >■ {0,1} defined inductively on its structure as follows: 

Am) = 0 

Am) = 1 

. . . , dn)){t) = X{R^){X{di){t), . . . ,X{A){t)) 

xi^sm =i-x{sm 

0 ifI(S'i)(t) = 0 and X{S 2 ){t) = 0 

1 otherwise 



x{s^yS2){t) 



Lemma 1. Let S be a state expression andX be an interpretation of the symbols 
in HDC on a frame T =<< T,<>,< D,+,0 >,m >. Then for every [^ 1 ,^ 2 ] G 
lntv{T) there exist t[, . . . ,t'n such that ti = t'l < . . . < t'„ = t 2 , and for any 
t, t' € [t\, implies X{S){t) = X{S){t') for all i = 1, . . . ,n — 1. 

Proof. Induction on the construction of S. □ 

Using Lemma 0 we can give the interpretation of f S under an HDC model 
A4 =< T ,X >. Let [^ 1 ,^ 2 ] G Intv(T) and t},... An be a partition of [^ 1 ,^ 2 ] 
which have the property stated in Lemma Q We define p • c for p G {0, 1} and 
c G D as follows: 



p • c 



Jo if p = 0 
} c if p = 1 



Then X{J 5')([ti, f 2 ]) = YA=i ^A)Ai) • K is easy to show that this 

definition does not depend on the particular choice t{, . . . ,t'n- 

Given a model M =< T A an interval [^ 1 ,^ 2 ] G Intv(T), the meaning 

of initial and final values of state terms d , d : Eire functions with type 

Intv(T) D defined as follows: 

fh(d, [h,t 2 ]) = d, iff < A,X >, [ti - S,ti] \~hdc for some <5 > 0. 

[h,t 2 ]) = d, iff < A,X >, [t 2 ,t 2 + '^hdc = d], for some d > 0. 

where [S'] = fS = £ A £ > 0. It means that S takes value 1 almost everywhere 
in a non-point interval. We will use [] to stand for ^ = 0. 

The meaning of other syntactic entities in HDC can be given similarly to the 
ones in IL 2 , and other notions for HDC also can be defined similarly. 
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3.3 Proof System of HDC 



In this section, we give a proof system of HDC. The notation '^hdc 4> means that 
4> is provable. 

The proof system of HDC includes all axioms and inference rules in IL 2 but 
the axiom ITLj^. Besides, it also includes the following three groups of axioms 
and rules. 

The first group is used to specify how to calculate and reason about state 
durations. They are: 



(DCl) 


/0 = 0 


(DC4) 


(DC2) 


/! = £ 


(DC5) 


(DC3) 


IV 

0 


(DC6) 






(DC7) 



/'S'l + /S '2 — /(-S'! V S' 2 ) + f(Si A S 2 ) 

((fS = xi)'^(fS = X2)) (fS = -h X2) 
fSi = fS 2 , if Si ^ S2 
[S'] (</>s A f > 0), if S is rigid 



The role of the second group is to calculate the initial and final values of r?, -ff 
and i). They are: 



(PVl) (f > 0); ((r?= a;i) A (f = X2)) true; [r? = a;i] ; (f = X2) 

(PV 2 ) {{§= xi) A{£ = X2))-,{i > 0 ) (£ = 0:2); f-d = xi]; true 

PVl and PV2 formulate the meaning of the initial value and final value of a 
state term which are inherited from the previous statement, and passed to the 
next one. Because the function •*- (->■) involves the value of a state term at left 
neighbourhood ( right neighbourhood), the neighbourhood rule is necessary in 
order to axiomatise them. 



NR If {£ = a);^;{£ = b) ^ {£ = a);T;{£ = b), then if' ^ T. (a, 5 > 0) 



Remark 2. This rule can be looked as a rule of IL 2 ■ Although the rule will de- 
stroy the deduction theorem of IL 2 , IL 2 will keep completeness after introducing 
it. 

The last group is used to specify the semantics of V, V and V in the context 
of quantifications. 

The axiom and rule below are standard as in predicate logic. 

Gv : if (j) then W.</> 

Qv : VV.(/)(y) ^ (t){d) 

If V {V) does not occur in formula </>, then it can take any value, since the 

value of V (V) is defined by value of V outside the reference interval w.r.t. <f>. 
Hence, 

(HDCl) 3V.(j) 3V.(f)A{V=x) if ^ 

(HDC2) 3V.(j) ^ 3V. (/) A {V= x) if <j) 
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The distributivity of 3V over the chop operator is the most essential property 
of V as a function over time. 3V can distribute over the chop, if and only if the 
value of V in the left operand of the chop can match the value of V in the right 
operand, and symmetrically for the value of V in the right operand. That is. 



(HDC3) 



/ (3V. (j) A {true] = Xi] V [] ) A (V= X 2 )) \ 
{3V. V’ A (fy = X 2 ];trueV []) A {V= xi)) ) 



3V. 4>] Ip 



When (/) or -0, it can be derived from the above axioms that 
{3V.(p)]3V.ip => 3V. (p;ip 

In order to define program variables as finitely varied functions, in the proof 
system, we let 12 = Qhdc where fihdc = {3x([y = x] V [ ]) \ V G PVar}. 

Theorem 3 (Soundness). The proof system of HDC is sound, i.e. \~hdc 
implies \=hdc 4> 



4 Completeness of HDC on Abstract Domains 

In this section, we will apply completeness of IL 2 with 12 to show HDC is 
complete on abstract domains. To this end, let us choose a language for IL 2 
with four special flexible function symbols ©, ©, and hi, in which there is only 
one unary function symbol g of the second sort, and a language £hdc for HDC. © 
and © have type ((Intv(T) — >• Z2) x (Intv(T) — >• D)) — )> (Intv(T) — >• D), and hi 
and hr have type (Intv(T) — ^ Z2) — >• (Intv(T) — >• Z2). In C 1 L 2 , the definition of 
terms will be extended by allowing that duration terms and neighbourhood terms 
are also terms, where duration terms are defined as: h{9i, . . . ,9n) is duration 
term; If t\ and t 2 are duration terms then t\ © t 2 and t\ © t 2 are both duration 
terms too, neighbourhood terms are defined as: If nt is of the forms x or g{y) or 
f{nti , . . . , ntn) then hr{nt) and hi{nt) are both neighbourhood terms. It is easy 
to define the meaning of the above extensions using the usual way. Obviously, 
IL 2 with n is still complete after extending. We will use duration terms to 
correspond the terms of state durations, neighbourhood terms to correspond the 
left and right values of state terms in the below translation dc2il from Chdc to 
£jl2 • 

Let us fix two bijections: V ^ yv, and R ^ h^ between Chdc and Cjl^ ■ We 
will establish a bijection between Chdc and a subset of Cjl^ by function dc2il 
from Chdc to a subset of Cjl^ and its inverse il2dc. 

We can prove that if a set of formulae T in Chdc is consistent w.r.t. the proof 
system of HDC then dc2il{r) plus dc2il{Axiomhdc) where Axiomhdc contains 
all axiom instances of HDC is consistent w.r.t. the proof system of IL 2 with 
dc2il{f2hdc) ■ From now on, let 12 = dc2il{f2hdc) ■ By Theorem | 2 | we can get 
a model < T,J > and an interval [^1,^2] such that < T,J >,[<1,^2] \=U2q 
dc2il{r) U dc2il{Axiomhdc) ■ Finally, according to the model and interval, we can 
construct a model < if', I > for HDC such that < if, I >, [^ 1 ,^ 2 ] \=hdc R- 
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We define the translating function dc2il from Chdc to as follows: 



dc2il{d) = 



dc2il{6) = 



dc2il(fS) = 



dc2il{(j)) = 



X ii'd = X 

< g{yv) if'd=V 

f{dc2il{di), , dc2il{'&n)) if = /(di, ... 

’ X if 9 = X 

^ hi{dc2il{'ff)) if 6 =-9 

I hr{dc2il{'d)) iiO=f) 

\ f{dc2il{9i), ... , dc2il{9n)) if 6 = f{6i, ... , 6»„) 



ho 


if S = 0 


hi 


if S = 1 


h}i{dc2il{'&i ), . . . , dc2il{dn)) if S' = R{f)i , . . . , d„) 


£-dc2il{jSi) 


if S' = ^Si 


dc2il{JSi) © dc2il{JS2) 


if S = Si A S 2 


dc2il{JSi) © dc2il{JS2) 


if S = Si V S 2 


X 


if(j) = X 


R{dc2il(9i) , . . . , dc2il{9n)) if 4> = R{9i, . . . , 9n) 


-<dc2il{'ip) 


if (j) = -<ip 


dc2il{(f>i) V dc2il{(j)2) 


if (/» = </>i V 02 


dc2il{(f>i) A dc2il{(j)2) 


if 0 = 01 A 02 


3x .dc2il{tp) 


if 0 = 3x.ip 


3yv .dc2il(ip) 


if 0 = 3V.ip 



where ho = 0 and hi = £. 

Symmetrically, we define its inverse il2dc as follows: 
( X if9 = x 



il2dc{6) = < 



il2dc{6) 

il2dc{9) 

f{il2dc{6i),... ,il2dc{9n)) 



if = g{yv) 
if 9 = hi{0) 
if9 = hr{9) 

if9 = f{9i,... ,9n) 



fO if 9 = ho 

fl if 9 = hi 

^ jR{il2dc{9i ), . . . , il2dc{9n)) if9 = hn{9i , ... ,9n) 



il2dc{h]^.^ (^11,... (^ml , • ■ • 7 )) — (il2dc(9n^ , . . . , 

il2dc(9i„^))&: . . . kRm(il2dc(9mi), ■ . ■ , il2dc{9mn^))) where * G {©, 0} and & G 
{V,A}. If * = © then the corresponding & = V, otherwise the corresponding 
& = A. 



X if (j) = X 

R{il2dc{9i ) , . . . , il2dc{9n)) if (/> = R{9i, . . 

-'il2dc{'ip) if (j) = —lip 

il2dc{4>) = il2dc{(f>i) V il2dc{4>2) if </> = </>i V ^2 

il2dc{(f>i) A il2dc{4>2) if </> = </>i A ^2 

3x .il2dc{ip) if (f> = 3x.ip 

[_ 3V.il2dc{'tp) if <j) = 3yv.'ip 



,0n) 
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From the definitions of dc2il and il2dc above, we have the following result. 

Theorem 4. For any set of formulae F C Chdo r is consistent w.r.t. the proof 
system of FIDO iff dc2il{r)\Jdc2il{Axiomhdc) is consistent w.r.t. the proof system 
0 /IL 2 with dc2il{i2hdc) ■ 

Proof. By the above definitions of dc2il and il2dc, it is trivial. □ 



Theorem 5. If F is consistent w.r.t. the proof system of HD C, then F is sat- 
isfiable. 

Proof. The consistency of F w.r.t. HDC implies the consistency of Fq = {£ = 
a}; F;{£ = b} w.r.t. HDC where a, 6 > 0 by the neighbourhood rule. The consis- 
tency of Fq w.r.t. HDC implies the consistency of dc2il{FQ) U dc2il{Axiomhdc) 
w.r.t. IL 2 with fl by Theorem 0 Hence, by Theorem |21 there exists an IL 2 
model M. =< T,J > on which ^ has the finite variability property for every 
F G 12, where T =<< T, <>, < D, -I-, 0 >, Z?i, m > is its frame, and an interval 
[^ 1 ,^ 2 ] G Intv(T) such that <T,J >, [^ 1 ,^ 2 ] \=U 2 q dc2il{Fo)Lldc2il{Axiomhdc)- 
Hence, there exists a proper sub-interval [^ 1 ,^ 2 ] such that ti < t[ < t '2 < £ 2 , 
t'l = ti + a,t '2 = t 2 ~ b, and <T,J >, [t'l, \=U 2 q dc2il{F) U dc2il{Axiomhdc) ■ 

From now on, we prove that there exists a model < £F' ,I > of HDC such 
that <T' ,X>, [£[,£' 2 ] \=hdcr. 

Let S be a class of interpretations of IL 2 such that for every element G Q, 
< T,J' > is a, model of IL 2 , and J'\ 5 ]| = J\ g ]| 

For every J'' G ‘A we construct an interpretation I' of Chdc as follows: 

For every y g PVar, the foTnmla<I — dc2il{3x.fV = a:lV[]) G dc2il{f2hdc) ■ 
By Theorem El there exists a partition t\ = t'( < t'f <...< t'f = £2 of [^ 1 ,^ 2 ] 
such that < T,J' \=U2q dc2il{3x.fV = a;] V [ ]), i.e. < T,J' > 

> \=a 2 ^ 3x.\hid{g{yv),xy\ V [ ] , for i = 1, . . . , n - 1. Thus T can be 

defined as follows: 



X'\[V]\{t) 



X'{X) 

X'{Rf) 




J'{x) 

J'ifD 

J'{X) 



if t'l <t < and 

< T,J" >, \=u 2 q \hu{g{yv),x)\ V [ ] 

where J" is ^-equivalent to J' 

otherwise 



In order to prove the theorem, we need the following two lemmas. 

Lemma 2. Let J' G 3, and J' and X' have the relation (••). Then for any 
term 9 in Chdc o.nd any interval [c,d\ C we have: 

x'\[e]\[c,d\ = j'\[dc2ii{e)\[c,d]. 

Proof of the lemma: See ng. □ 

Now, we can give a correspondence between X' and J' which have the relation 
(••) on formulae by the following lemma. 
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Lemma 3. Let J' G 3, and J' and X' have the relation (••) . Then for any 
formula (p in Ctdc, and any subinterval [c,d] C < IF, I' >,[c, d] \=hdc 4> 

iff < T,J' >, [c,d\ \=u2q dc2il{(j)). 

Proof of the lemma: We give its proof by induction on the construction of 

(p. We only prove the case p = 3V.ip, the other cases can be proved easily by 
Lemma El and the definition of dc2il. 

“4=” It is easy to show. 

“=>” Let < J^,X' >, [c,(f\ \=hdc P- Then there exists an interpretation 

I” for HDC which is H-equivalent to I', and < T ^X" >,[c, d] \=hdc 'P- Let 
t'o, ■■■ t’n +1 G T such that ti < t" < c = t'l < ... <t'f = d < 

and X"{V) is constant on [ti,tt_^_i) for i = 0, . . . , n, and assume these n -I- 1 
constants are cq, . . . , c„. The above assumption is reasonable because < T ^X" > 
is a model of HDC. Since M. =< T , J > is a model of IL 2 , by the axiom Qy 
we have that for all f = 0, . . . , n, there exists some di G D\ such that 

(*) JlgWi, [b,e]) = c, iiX''[V\ = Ci 
for any sub-interval [6, e] C 

Applying the axioms HDC1-HDC3 n times implies that there exists ad G Di 
such that for alH = 0, . . . , n -I- 1 and t G [t", t"+i) 

X"(V)(t) = Ci iff < X-,J" >, lhUg{d),cPJ 

Let J"{z) — J'{z) for all symbols in IL 2 but ?/y, and J"{yv) = d defined by 
the above. Hence J” is yy-equivalent to J', and J" and X" have the definition 
relation given in (••). By the induction hypothesis, d] \=u2q dc2il{p), 

whence Jf [c, d] \=U 2 q dc2il{p) by the definition of dc2il. □ 

Now, let T' =<< T, <>, < D, -I-, 0 >, m >. It is easy to show that < T' ,X > 
, \=hdc r since the interpretations of HDC are independent of Di. □ 



Theorem 6 (Completeness). The proof system of HDC is eomplete, i.e. \=hdc 
p implies \~hdc P- 

Proof. Suppose \=hdc P but \/hdc P- So {~<p} is consistent with respect to the 
proof system of HDC. By Theorem El there exists a model < tF,X > and an 
interval [^ 1 ,^ 2 ] such that < iF,X >,[^ 1 ,^ 2 ] \=hdc ~'P- This contradicts \=hdc P- 
Hence, \~hdc P- □ 



5 Discussion 

In order to develop a DC-based programming theory, a higher-order duration 
calculus has been established in E|. In this paper, we investigate the logic prop- 
erties of HDC. Especially, we proved that HDC is complete on abstract domains 
by reducing HDC to a complete first-order two-sorted interval temporal logic. 

In the literature of DC, there are two completeness results. One is on ab- 
stract domains ( see |E]). Unfortunately it requires w-rule. The other is on real 
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domain (see m), but it is a relative completeness, i.e. it is assumed that all 
valid formulae of real arithmetic and interval temporal logic are provable in DC. 
Up to now, no one find a relation between these two completeness results. 

If we give another relative completeness of HDC, i.e. if \=hdc then Ur \~hdc 
(p, where Ur stands for all valid real formulae, then we can show that if interval 
temporal logic is complete on real domain w.r.t. the assumption that all valid 
real formulae are provable, then completeness of HDC on real domain under 
the same assumption can be proved with the technique developed in this paper. 
This conclusion can be applied to other variants of DC too. But how to prove the 
relative completeness of temporal logic on real domain is still an open problem. 
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Abstract. Semantic labelling is a powerful tool for proving termination 
of term rewrite systems. The usefulness of the extension to equational 
term rewriting described in Zantema m is however rather limited. In 
this paper we introduce a stronger version of equational semantical la- 
belling, parameterized by three choices: (1) the order on the underlying 
algebra (partial order vs. quasi-order), (2) the relation between the al- 
gebra and the rewrite system (model vs. quasi-model), and (3) the la- 
belling of the function symbols appearing in the equations (forbidden vs. 
allowed). We present soundness and completeness results for the various 
instantiations and analyze the relationships between them. Applications 
of our equational semantic labelling technique include a short proof of the 
main result of Ferreira et al. 0 — the correctness of a version of dummy 
elimination for AC-rewriting which completely removes the AC-axioms — 
and an extension of Zantema’s distribution elimination technique m to 
the equational setting. 



1 Introduction 

This paper is concerned with termination of equational term rewrite systems. 
Termination of ordinary term rewrite systems has been extensively studied and 
several powerful methods for establishing termination are available (e.g. mm)- 
For equational term rewriting much less is known, although in recent years sig- 
nificant progress has been made with respect to AC-termination, i.e., termina- 
tion of equational rewrite systems where the set of equations consists of the 
associativity and commutativity axioms AC(/) = {f{f{x,y),z) ~ f{x,f{y,z)), 
f{x,y) ~ f{y,x)} for (some of) the binary function symbols occurring in the 
rewrite rules. An early paper on termination of equational rewriting is Jouan- 
naud and Munoz HH. In that paper sufficient conditions are given for reducing 
termination of an equational term rewrite system to termination of its underly- 
ing term rewrite system. In another early paper (Ben Cherifa and Lescanne |2j) 
a characterization of the polynomials is given that can be used in a polynomial 
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interpretation proof of AC-termination. In more recent papers 
tactic methods like the well-known recursive path order for proving termination 
of rewriting are extended to AC-rewriting. Marche and Urbain extended 
the powerful dependency pair technique of Arts and Giesl Q to AC-rewriting. 
In | |fil7| two extensions of dummy elimination (0) to equational rewriting are 
presented. In m the type introduction technique of Zantema m is extended 
to equational term rewriting. 

In this paper we extend another technique of Zantema to equational term 
rewriting. By labelling function symbols according to the semantics of the rewrite 
system, semantic labelling ( 1241 1 transforms a rewrite system into another rewrite 
system with the same termination behaviour. The aim is to obtain a transformed 
rewrite system where termination is easier to establish. The strength of semantic 
labelling is amply illustrated in HSE3. Here we present powerful extensions 
of semantic labelling to equational rewriting and analyze their soundness and 
completeness. Our equational semantic labelling yields a short correctness proof 
of a version of dummy elimination for AC-rewriting. This result of Ferreira et 
al. was obtained in 0 by considerably more complicated arguments. Another 
application of our technique is the extension of some of the results of Zantema I2ni 
concerning distribution elimination to the AC case. 



2 Preliminaries 

Familiarity with the basics of term rewriting (Pj) is assumed. An equational 
system (ES for short) consists of a signature T and a set £ of equations between 
terms in We write s — >■£ t if there exist an equation I pe r in £, 

a substitution a, and a context C such that s = C[la] and t = C[ra]. The 
symmetric closure of is denoted by and the transitive reflexive closure 
of Hf by A rewrite rule is an equation I Ri r such that I is not a variable 
and variables which occur in r also occur in 1. Rewrite rules I ~ r are written as 
I ^ r. A term rewrite system (TRS for short) is an ES with the property that 
all its equations are rewrite rules. An equational term rewrite system (ETRS for 
short) 711 £ consists of a TRS TZ and an ES £ over the same signature. We write 
s -^Tijs t if there exist terms s' and t' such that s s' t' t. Similar to 
ordinary term rewrite systems, an ETRS is called terminating if there does not 
exist an infinite -^n/S reduction. 

Let iF be a signature and A = {A, {/a}/g.?-) an iF-algebra equipped with a 
quasi-order (i.e., a reflexive and transitive relation) F on its (non-empty) car- 
rier A. For any variable assignment a : V — t A we define the term evaluation 
[o\a- T{T,V) -)> A inductively by [a]ji,{x) = a{x) and [a]^(/(C, . . . , t„)) = 
fAi[a]Aih), ■■■ , H^(in)) for x £ V, f G T, and ti,...,tn £ T{T,V). If A is 
clear from the context, then we often write [a] instead of [a]j\. We say that 
A is monotone if the algebra operations of A are monotone with respect to F 
in all coordinates, i.e., if / £ IF has arity n ^ 1 then /^(oi, . . . , Oi, . . . , o„) F 
/^(oi, . . . , 6, . . . , a„) for all ai, . . . , a„, b £ A and i £ {1 , . . . ,n} with F 
An ETRS TZ/£ over a signature T is eompatible with a monotone .F-algebra 
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(^, if I r for every rewrite rule I ^ r G TZ and I r for every equation 
I Ki r G £. Here the relation is defined by s t if [a]^(s) ^ [a]j\^{t) for 
every assignment a and is the equivalence relation induced by If 7?./f 
and (A, are compatible, we also say that {A, is a quasi-model of 7^/f . We 

call {A, a model of if I r for alH — >■ r G 7^ and I k, r G £. 

A TRS TZ is precedence terminating if there exists a well-founded order □ on 
its signature J- such that root(Z) □ / for every rule I ^ r G TZ and every function 
symbol / occurring in r. Precedence terminating TRSs are terminating (IS!)- 
The next lemma states that this remains true in the presence of AC-axioms. 
Lemma 1. Let TZl£ he an ETRS over a signature T such that £ = U/ea ^^(/) 
for some subset Q of T . IfTZ is precedence terminating then TZj£ is terminating. 

Proof. By definition there is a well-founded order □ on ^ such that root(^) □ / 
for every rule I ^ r G TZ and every function symbol / occurring in r. Any 
AC-compatible recursive path order induced by □ that is defined on terms with 
variables (e.g. |lMpi 9] ) orients the rules of TZ from left to right. (The complicated 
case in which two terms with equal root symbols in Q have to be compared never 
arises due to the assumption on □.) We conclude that TZ/£ is terminating. □ 

3 Semantic Labelling for Equational Rewriting 

In this section we present our equational semantic labelling framework by appro- 
priately extending the definitions of Zantema m for ordinary semantic labelling. 

Definition 1. Let T he a signature and A an if -algebra. A labelling L for T 
consists of sets of labels Lf C A for every f G T . The labelled signature TF\gjo 
consists of n-ary function symbols fa for every n-ary function symbol f G T 
and label a G Lf together with all function symbols f G T such that Lf = 0. 
A labelling i for A consists of a labelling L for the signature T together with 
mappings If. A" — >■ Lf for every n-ary function symbol f G TF with Lf yf 0. Lf 
A is equipped with a quasi-order ^ then the labelling is said to be monotone if 
its labelling functions £f are monotone (with respect to in all arguments. 
Definition 2. Let TZf£ be an ETRS over a signature T , (A,^) an T-algehra, 
and I a labelling for A. Eor every assignment a we inductively define a labelling 
function lab„ from T{TF,V) to T(Aiab,V).- labQ,(t) = t if t G V and labo,(t) = 
/<!/(H(ti)....,H(t„))(lab„(ti), . . . ,labQ,(t„)) if t = /(ti, . . . , t„). We define TRSs 
TZiah, Dec(iF, :^) and ESs £\ah, Eq(iF, over the signature TF\ah o,s follows: 

TZ\nh = { laba(/) — >■ laba(r) \ I ^ r G TZ and a: V — )> A}, 

•^lab = {labo,(/) ~ labo,(r) \ I r G £ and a: V — )> A}, 

Dec(A‘, :^) = {fa(xi, ...,Xn)^ fb{xi, . . . , Xn) | / G A", o, 5 G L/, tt 6}, 
Eq(J^,-^) = {fa(xi,...,Xn) ~ fb(xi,...,Xn) | / G A", o, 6 G L/ , o -- 6, o yf 6} . 

The purpose of the condition a ^ b in the definition o/Eq(.7^, ~) is to exclude 
trivial equations. When the signature T and the quasi-order ^ can be inferred 
from the context we just write Dec and Eq. We write TZ for the union of TZ\nh 
and Dec and £ for the union of fjab o^nd Eq. 
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The next theorem states our first equational semantic labelling result. 

Theorem 1. Let 'R./E be an ETRS over a signature T, (^, ^) a monotone T- 
algehra, and t a monotone labelling for A. If A is a quasi-model of TZIE and 
'R./E is terminating then R-jE is terminating. 

Proof. We show that for all terms G T{E,V) and assignments a we have 

1. if s -^Tz t then labo;(s) labo,(t), 

2. if s Hf t then laba(s) laba(t). 

Suppose s = C[la] and t = C[rcr] for some rewrite rule I ^ r G TZ, context C, and 
substitution a. We show (1) by induction on C. If C = □ then laba(s) = labailcr) 
and labo,(t) = \aba{ra). Define the assignment P = [o\a ° o’ and the substitu- 
tion T = labct o a (i.e., a is applied first). An easy induction proof (e.g. yidl 
Lemma 2]) reveals that laba{lo-) = lab/ 3 (/)r and labQ(ro-) = labp{r)T. By defi- 
nition lab^(/) — >■ lab^(r) G R-uh and hence lab q,(s) = lab^(Z)r lab^(r)r = 

laba(t). For the induction step, let C = f{u\, . . . , C , . . . , Un). The induction hy- 
pothesis yields laba(C'[Zo’]) • -^^\3ha{C'[ra]). Because .A is a quasi-model 
of R/E and C'[la] — C"[rcr], we have [a]^(C"[^CT]) ^ [a]^(C"[rcr]). Let 

a = (.f{[a]A{ui ), . . . , [a]A{C'[lcT ]), . . . , [a]^(un)) 

and 

b = £f{[a]A{ui ), . . . , [a]^(C"[rcr]), . . . , [a]^(u„)). 

Monotonicity of the labelling function if yields a'f^b. We distinguish two cases. 
If a y b then 



If a 



labo,(s) 



b then 




“>■060 



/a(labo,(Mi), . . . ,labo,(C'[rCT]), . . . ,labo,(M„)) 
/f,(laba(ui), . . . ,laba(C"[rcr]), . . . ,laba(u„)) 
laba (t) . 



labo, (s) I fly (labcK (^i) ? ■ • ■ ? lab^^ (^C [l(r^ );-■•? labo, {u ^ ) ) 

fly (labfj (ui) , . . . , labo , {C [ro"] ) , . . . , labo, (un)) 

= laba(t). 

Here H^q denotes Heq U =. Since ' ~^Dec C and Hgq • • 

— C in both cases we obtain the desired labo,(s) laba(t). 

The proof of (2) follows along the same lines. In the induction step we have 
[a]^(C"[^CT]) ^ [a\A{C'[ra]). Monotonicity oi if yields both a b and b a. 
Hence a b and thus 



lab„(s) /a(laba('ui), . . . , lab„(C'[Zcr]), . . . ,laba(u„)) 

^ ^Eq (^abo, (ui ) , . . . , labo, (G [/(t] ) , . . . , labo, ( ut^)) 
/b(laba(ui), . . . ,laba(C"[r(T]), . . . ,laba(un)) 
= laba(t) 



by the definition of Eq and the induction hypothesis. 

From (1) and (2) it follows that any infinite R/ E-rewrite sequence gives rise 
to an infinite T^-Zf-re write sequence. □ 
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The converse of the above theorem does not hold. Consider the terminating 
ETRS TZIE with TZ = 0 and £ — {f(a) ~ a}. Let A be the algebra over the 
carrier {0, 1} with 1 0 and operations = x for all x G {0, 1} and a^ = 1. 

Note that .4 is a (quasi-)model of TZ-IE. By letting £f be the identity function 
and by choosing La = 0, we obtain the labelled ETRS 'R./S with T^iab = 0, 
Dec = {fi(a;) — >■ fo(ic)}, Liab = {fi(a) ~ a}> and Eq = 0. The ETRS TZjE is not 
terminating: a fi(a) -)>Dec fo(fi(a)) -toec Nevertheless, in 

this example there are no infinite 7?,/L-rewrite sequences that contain infinitely 
many 7?-iab/^-steps, which is known as the relative termination (Geser llOl l of 
R-iah/E with respect to Dec. It is not difficult to show that under the assumptions 
of Theorem Q termination of 'R-j£ is equivalent to relative termination of 7?-iab/f 
with respect to Dec. 

Zantema m showed the necessity of the inclusion of Dec in TZ for the cor- 
rectness of Theorem Q (with L = 0) by means of the TRS TZ = {f(g(x)) — >■ 
g(g(f(f(a;))))}, the algebra A over the carrier {0,1} with operations = 1 

and g_ 4 (a:) = 0 for all x G (0, 1}, and the order 1 0. By labelling f with the value 

of its argument, we obtain the TRS T^iab = |fo(g(a;)) -t g(g(fi(fo(a:)))), fo(g(a;)) 
— >■ g(g(fi(fi(x))))| which is compatible with the recursive path order with prece- 
dence fo □ fi,g. However, TZ is not terminating: f(f(g(a:))) — >■ f(g(g(f(f(a;))))) — ?> 
g(g(f(f(g(f(f(a:)))))))^..._ 

The inclusion of Eq in £ is also essential for the correctness of Theorem [0 
Consider the ETRS TZj£ with TZ = |f(a, b, x) — >■ f(x, x, x),g(x, y) —>■ x, g(x, y) — >■ 
y} and £ = 0. Let A be the algebra over the carrier (0, 1} with 0 ~ 1 and 
operations fj^{x,y,z) = 1, gA{x,y) = 0, a _4 = 0, and b_^ = 1. We label function 
symbol f as follows: £f{x,y,z) = 0 if x = y and £f{x,y,z) = 1 if x ^ y. Note 
that ^ is a quasi-model for TZj£ and ff is trivially monotone. We have T^iab = 
{fi(a,b,a;) fq(^,x,x),g{x,y) -)> x,g{x,y) y}, Dec = 0, and Liab = 0. 

Termination of TZ is easily shown. It is well-known (Toyama m) that TZ is not 
terminating. Note that in this example Eq = {fo(a:, y, z) ~ fi(a;, y, z)} and hence 
TZjE is not terminating. 

Finally, both monotonicity requirements are essential. Consider the TRS TZ = 
|f(g(a)) — f(g(b)),b — >• a}. Let A be the algebra over the carrier {0,1} with 
1 0 and operations f^(x) = 0, g^(x) = 1 — x, a^ = 0, and b _4 = 1. We 

have I T for both rules Z — ?> r G 7?.. If £f(x) = x then we obtain the TRS 
TZ — {fi(g(a)) — )> fo(g(b)),b — a,fi(x) — >■ fo(a:)} which is compatible with the 
recursive path order with precedence f\ Zl fo,g and fi Z1 b □ a. However, TZ is 
not terminating. Note that gA is not monotone. Next consider the algebra B 
over the carrier {0, 1} with 1 0 and operations fe(x) = 0, gB(x) = x, as — 0, 

and bg = 1. If £f{x) = 1 — x then we obtain the same TRS TZ as before. Note 
that now £f is not monotone. 

If the algebra ^ is a model of the ETRS TZj£ then (similar to ordinary 
semantic labelling m) we can dispense with Dec. Moreover, in this case the 
converse of Theorem □ also holds. This is expressed in the next theorem. 
Theorem 2. Let TZjE be an ETRS over a signature T, (M, a monotone 
J- -algebra, and i a monotone labelling for A. If A is a model of TZ/£ then ter- 
mination ofTZuhfE is equivalent to termination ofTZj£. 
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Proof. The following statements are obtained by a straightforward modification 
of the proof of Theorem ^ 

1. if s -^Ti t then lab„(s) • -)>7?,iab labo,(t), 

2. if s Hf t then labo,(s) laba(t). 

Note that since ^ is a model we have [a]^(C"[Zcr]) ~ [a\j^,{C [ra]) and hence 
a ^ 6 in the induction step. This explains why there is no need for Dec. So 
termination of T^iab/^ implies termination of 'R-fE. The converse also holds; 
eliminating all labels in an infinite T^iab/^^-rewrite sequence yields an infinite 
72./iS-re write sequence (because there are infinitely many 72.iab-steps) . □ 

If the quasi-model A in Theorem ^is equipped with a partial order (i.e., a 
reflexive, transitive, and anti-symmetric relation) ^ instead of a quasi-order ^ 
then we can dispense with Eq. 

Theorem 3. Let TZl£ be an ETRS over a signature T , {A, a monotone T- 
algebra, and i a monotone labelling for A. If A is a quasi-model of TZ/£ and 
72./£liab is terminating then Li-IE is terminating. 

Proof. The proof of Theorem ^ applies; because the equivalence associated with 
a partial order is the identity relation we have Eq =0. □ 

The first example in this section shows that the converse of Theorem 0 does 
not hold. Combining the preceding two theorems yields the following result. 

Corollary 1. Let 'RjE be an ETRS over a signature T, (^, ^) a monotone 
J- -algebra, and I a monotone labelling for A. If A is a model ofTZ/£ then ter- 
mination o/ 72.iab /iSiab is equivalent to termination of TZ/£. □ 

Note that if the pair {A, is a model of 11. j£ then so is {A, =). Since in this 
case monotonicity of both the algebra operations and the labelling functions is 
trivially satisfied, we can rephrase the above corollary as follows. 

Corollary 2. Let 'RjE be an ETRS over a signature T , A an T-algebra, and 
£ a labelling for A. If A is a model ofTZ/£ then termination o/7^iab/^iab is 
equivalent to termination ofTZ/£. □ 

Note that the unspecified quasi-order is assumed to be the identity relation, 
so model here means I —a r for all rules I ^ r G TZ and all equations I k, r G £. 

Let us conclude this section by illustrating the power of equational semantic 
labelling on a concrete example. Consider the ETRS 7?./f with 7^ = {a; — 0 — 
X, s(x) - s{y) X - y,0G- s{y) -G 0, s{x) -G s{y) -G s{{x - y) G- s{y))} and 
£ = {{x G- y) G- z Ki {x G- z) G- y}. Let A be the algebra with carrier N, standard 
order and operations 0_4 = 0, s_ 4 (a;) = x -I- 1, and x ~a y = x Gta y = x. This 
algebra is a quasi-model of TZ/£. If £^{x, y) = x then we have 72-iab = {x — 0 — ^ 
X, s(x) - s{y) -)■ X - ?/, 0 4-0 s{y) 0} U {s(x) 4-„+i s{y) -G s((x - y) 4-„ s{y)) \ 
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Dec = {x^rnU ^ x^n V \ m > n}, and Slab = {(x y) (a; z) 

y \ n ^ 0}. Termination of 7^/Siab can be shown by the following polynomial 
interpretation: [0] = 0, [s](x) = a; + 1, x[—]y = a: + y + 1, and x [4-„] y = 
X + ny + n + y for all n ^ 0. According to Theorem 0 the original ETRS 
'R.jE is terminating as well. Note that a direct termination proof with standard 
techniques is impossible since an instance of the last rule of 7?. is self-embedding. 
In order to make this rule non-self-embedding it is essential that we label -L. This 
explains why Zantema’s version of equational semantic labelling — presented in 
the next section — will fail here. 

4 Semantic Labelling Cube 

The original version of equational semantic labelling described in Zantema m 
is presented below. 

Theorem 4 ( |‘^4)L Let 'R./E be an ETRS over a signature T, A an T -algebra, 
and £ a labelling for A sueh that funetion symbols occurring in £ are unlabelled. 
If A is a model oflZjE then termination o/72.iab/iS is equivalent to termination 

ofn/£. □ 

In j21] it is remarked that the restriction that symbols in £ are unlabelled is 
essential. Corollary |2 of which Theorem 0] is an immediate consequence, shows 
that this is not true. Zantema provides the non-terminating ETRS 7?./f with 
TZ = {(x -by)-l- 2 :— >-x-l-(y-l- z)} and .Sl = {x-l-y~y-l- x}, and the model A 
consisting of the positive integers N+ with the function symbol -I- interpreted as 
addition. By labelling -|- with the value of its first argument, we obtain T^iab = 
{(x -\-i y) -bi+j z ^ x-Ii{y -Tj z) \i,j & N+} and fiab = {x -Ity ~ y -Ij x \ i,j & 
N+}. According to Corollary El the labelled ETRS T^iab/^^iab is not terminating 
and indeed there are infinite rewrite sequences, e.g. 

(x -bi x) - 1-2 a; — t X -bi (x -bi x) ^ (x -bi x) - 1-2 a; — t • • • 

In E5 it is remarked that IZ\ahl£' with £' = {x -bi y — >■ y -bi x | i G N+} is 
terminating, since it is compatible with the polynomial interpretation in which 
the function symbol -bi is interpreted as addition plus i, for every i G N+. 
However, £' is not a labelled version of £. 

The various versions of equational semantic labelling presented above differ 
in three choices: (1) the order on the algebra A (partial order vs. quasi-order), 
(2) the relation between the algebra A and the ETRS 7^/f (model vs. quasi- 
model), and (3) the labelling of the function symbols appearing in £ (forbidden 
vs. allowed). This naturally gives rise to the cube of eight versions of equational 
semantic labelling possibilities shown in Figure D Every possibility is given as 
a string of three choices, each of them indicated by — /-b and ordered as above, 
so — I — b denotes the version of equational semantic labelling with partial order, 
quasi-model, and (possibly) labelled function symbols in £. All eight versions of 
equational semantic labelling are sound, i.e., termination of the labelled ETRS 
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Fig. 1. Equational semantic labelling cube. 



implies termination of the original ETRS. The versions in which termination 
of the labelled ETRS is equivalent to termination of the original ETRS are 
indicated by a surrounding box. 

We present one more version of equational semantic labelling, stating that 
the implication of Theorem Q becomes an equivalence in the special case that 
E is variable preserving (i.e., every equation I k. r £ £ has the property that I 
and r have the same number of occurrences of each variable), the (strict part 
of the) quasi-order ^ is well founded, and function symbols occurring in £ are 
unlabelled. In other words, if £ is variable preserving (which in particular is true 
for AC) and the quasi-order ^ is well founded then we can put a box around 
-|— I — in Figure ^ Before presenting the proof, we show the necessity of the 
three conditions. First consider the ETRS 71 /£ with 72. = 0 and £ = {f{x,x) ~ 
a;} where the signature contains a unary function symbol g in addition to the 
function symbol f. Let A be the algebra over the carrier {0, 1} with 1 0 and 

operations f^(x,?/) = x and gA{x) = x. Note that .4 is a (quasi-)model of TZ/E. 
By labelling g with the value of its argument, we obtain the ETRS TZ-jE with 
72 = Dec = {gi(a;) — >■ go(a;)} and £ = £. The ETRS TZjE is trivially terminating, 
but TZjE admits the following infinite rewrite sequence: 

gi(x) - f(gi(x),gi(a:)) ^ f(go(x),gi(x)) - f(go(x), f(gi(x), gi(x))) -> • • • 

Note that £ is not variable preserving. The necessity of the well-foundedness of 
the quasi-order ^ follows by considering the terminating TRS TZjE with 72 = 
{f(a;) — >■ g(a;)} and £ = 0, the algebra A over the carrier X with standard order 
^ and operations = Sa{x) = x, and the labelling £f{x) = x. In this case 

we have 72iab = {U{x) — >■ g(x) | 7 S Z} and Dec = {fi{x) £j{x) \ i > j}, so 72 
lacks termination. Finally, the requirement that function symbols occurring in 
£ must be unlabelled is justified by the counterexample following Theorem E 

Theorem 5. Let TZjE be an ETRS over a signature T with £ variable pre- 
serving, {A, ^) a monotone J- -algebra with ^ well-founded, and £ a monotone 
labelling for (A, ^) such that function symbols occurring in £ are unlabelled. If 
A is a quasi-model of TZjE then termination ofTZ/E is equivalent to termination 
ofTZ/E. 
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Proof. First note that 'KjE = (7?.iab U Dec)/(f U Eq) because function symbols 
occurring in E are unlabelled. The “if” part is a consequence of Theorem 2] For 
the “only if” part we show that the ETRS Dec/(i? U Eq) is terminating. For a 
term t G T(.?bab, V) let denote the multiset of all labels occurring in t. The 
following facts are not difficult to show: 

- if S -l>Dec t then 4>{s) >~rnu\ 

- if s HEq t then (?!)(s) --mui 

- if s t then cj>{s) = <p{t). 

Here )^mui denotes the multiset extension of (|S|) and ~mui denotes the multi- 
set extension of the equivalence relation ~ (which coincides with the equivalence 
relation associated with the multiset extension ^mui of see e.g. jl Yl Defini- 
tion 5.6]). For the validity of the last observation it is essential that £ is variable 
preserving and that function symbols occurring in £ are unlabelled. From these 
facts and the well-foundedness of ^mui we obtain the termination of Dec/(f UEq). 
Now, if 'R.jE is not terminating then it admits an infinite rewrite sequence which 
contains infinitely many 7?-iab-steps. Erasing all labels yields an infinite TZj£- 
rewrite sequence, contradicting the assumption that 72./S is terminating. □ 

5 Dummy Elimination for Equational Rewriting 

Ferreira, Kesner, and Fuel |7| extended dummy elimination to AC-rewriting 
by completely removing the AC-axioms. We show that their result is easily ob- 
tained in our equational semantic labelling framework. Our definition of 
dummy(T^) is different from the one in HE], but easily seen to be equivalent. 

Definition 3. Let TZ be a TRS over a signature T . Let e he a distinguished 
function symbol in T of arity m ^ 1 and let o be a fresh constant. We write 
for (iF\ {e}) U{o}. The mapping cap: T{T,V) — >■ T(iFo, V) is inductively defined 
as follows: cap(t) = t if t G V, cap(e(fi, . . . , t„i)) = o, and cap(/(<i, . . . , t„)) = 
/(cap(ti), . . . ,cap(t„)) if f ^ e. The mapping dummy assigns to every term in 
T{T,V) a subset ofT{T^,V): 

dummy(t) = {cap(t)} U |cap(s) \ s is an argument of an e symbol in t}. 
Finally, we define 

dummy (72.) = |cap(/) — r' | Z — >■ r G 72 and r' G dummy(r)}. 

Note that dummy(72) may contain invalid rewrite rules because cap(/) can 
have fewer variables than 1. In that case, however, dummy(72) is not terminating 
and the results presented below hold vacuously. Ferreira and Zantema |E| showed 
that if dummy(72) is terminating then 72 is terminating. A simple proof of this 
fact using self-labelling, a special case of semantic labelling, can be found in 
Middeldorp et al. ng. Two extensions of this result to equational rewriting are 
known. In jO] Ferreira showed that termination of 72/f follows from termination 
of dummy(72)/£i provided that £ is variable preserving and does not contain the 
function symbol e. The extension presented in Ferreira et al. |Z] is stated below. 
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Theorem 6. Let 7?./f be an ETRS with E = AC(e). //dummy (72.) is terminat- 
ing then 'R-jE is terminating. 

In other words, AC-termination of 72 is reduced to termination of dummy (72). 

Proof. We turn the set of terms T(iF<>,V) into an iF-algebra A by defining 
e^l(ii 5 ■ • ■ ) tn) = o and /^(ti, . . . , t^) = /(7i, • ■ ■ , tn) for all other function sym- 
bols f G E and terms ti,. . . ,tn S T{Eo, V). We equip A with the (well-founded) 
partial order • One can verify that A is monotone with respect to 

An easy induction proof shows that [a](7) = cap(7)a for all terms t G T{E, V). 
We show that ^ is a quasi-model of 72/£'. Let a: V — ?> V) be an arbitrary 

assignment and let Z — >• r G 72. We have [a](Z) = cap(Z)a and [a](r) = cap(r)a by 
the above property. The rewrite rule cap(Z) — > cap(r) belongs to dummy(72) by 
definition and hence [o;](Z) ^ [o^](r). For the two equations I ps r G E we clearly 
have [a](Z) = o = [a](r). Hence ^ is a quasi-model of 'R.IE. 

Define the (monotone) labelling I as follows: if = /a for aU function symbols 
f G J-. According to TheoremEJit is sufficient to show that 72/£liab is terminating. 
Define a precedence □ on as follows: fs □ gt if and only if s ()^ U >)+ t, 
where [> is the proper superterm relation. Note that □ inherits well-foundedness 
from )^. We claim that 72 is precedence terminating with respect to Zl. Rewrite 
rules in Dec are of the form fs{xi , . . . , Xn) — >■ ft(xi , . . . , Xn) with s 7 and thus 
fs □ ft- For rules in 72iab we make use of the following property: 

if 7 < r then cap(7) < r' for some term r' G dummy(r). (*) 

Now let 7 — >■ r G 72iab- By definition there exist an assignment a: V — > T(lFo, V) 
and a rewrite rule 7' — >• r' G 72 such that 7 = laba(7') and r = labc(r'). The 
label of the root symbol of 7 is [a] (7') = cap(7')o:. Let s be the label of a function 
symbol in r. By construction s = [q!]( 7) = cap(7)a for some subterm 7 of r' . 
According to (1) we have cap(7) < r” for some r" G dummy(r'). By definition 
cap(7') — >• r" G dummy(72) and hence cap(7')o; r”a > cap(7)a = s. Conse- 
quently, root (7) □ / for every function symbol / in r. This completes the proof of 
precedence termination of 72. Since Euh = AC(co), termination of TZjEyA, follows 
from Lemma n □ 

The reader is invited to compare our proof with the one in . For the above 
simple proof we indeed needed our new powerful version of equational semantic 
labelling, i.e., Zantema’s restricted version (Theorem^ would not have worked. 

One may wonder whether the soundness proof of the version of equational 
dummy elimination presented in [Oj can also be simplified by equational semantic 
labelling. This turns out not to be the case. One reason is that function symbols 
of E that also appear in 72 will be labelled, causing Eisb (and E) to be essentially 
different from E. In particular, if E consists of AC-axioms then Eia, contains 
non-AC axioms and hence AC-compatible orders are not applicable to 'R-jE. 
Moreover, LemmaQdoes not extend to arbitrary ESs E and it is unclear how to 
change the definition of precedence termination such that it does. 

Recently, Nakamura and Toyama m improved dummy elimination by re- 
stricting r' in the definition of dummy (72) to terms in (dummy (r) \ 'T{iFc, V)) U 
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{cap(r)} with Tc denoting the constructors of TZ. In other words, elements 
of dummy (r) \ {cap(r)} that do not contain a defined function symbol need 
not be considered when forming the right-hand sides of the rewrite rules in 
dummy(T^). For example, the TRS TZ = {f(a) f(b),b ^(s)} is trans- 
formed into the non-terminating TRS dummy(T^) = {f(a) — >■ f(b), b — >• o, b — )► a} 
by dummy elimination whereas the above improvement yields the terminating 
TRS {f(a) ^ f(b),b ^ o}. AotcQ suggested that a further improvement is 
possible by stripping off the outermost constructor context of every element in 
dummy(r) \ {cap(r)}. For TZ = {f(a(a;)) — >■ f(b), b — >• e(a(f(c)))} this would yield 
the terminating TRS {f(a(a;)) — >■ f(b), b — ?> o, b — >■ f(c)} whereas the transforma- 
tion of m produces dummy(72.) = {f(a(x)) — >■ f(b), b — t> o, b — t> a(f(c))}, which 
is clearly not terminating. 

These ideas are easily incorporated in our definition of dummy elimination. 
Here Td = T\Tc denotes the defined symbols of TZ. 

Definition 4. Let TZ he a TRS over a signature T . The mapping dummy^ as- 
signs to every term in T(iF, V) a subset of T{TFc^,V) , as follows: 



dummy^(t) = cap(t) U 



cap(s) 



s is a maximal subterm of an argument 
of e in t sueh that root(s) G T-d \ {e} 



We define 



dummy^(T^) = {cap(^) ~^r'\l^rGTZ and r' G dummy^(r)}. 



Theorem 7. Let 72./S be an ETRS with £ = AC(e). // dummy^(7?.) is termi- 
nating then TZ!£ is terminating. 

Proof. Very similar to the proof of Theorem 0 The difference is that we do not 
label the function symbols in !Fc. In order to obtain precedence termination of 
TZ we extend the precedence □ on Eiah hy ft Zi g for every / G Ed, t G T{Eo,V), 
and g € Ec. La. addition, (*) is replaced by the following property: 

if t < r and root(t) G Ed then cap(t) < r' for some term r' G dummy^(r). 

Taking these changes into consideration, termination of TZ!£ is obtained as in 
the proof of Theorem El □ 

6 Distribution Elimination for Equational Rewriting 

Next we show that our results on equational semantic labelling can also be used 
to extend the distribution elimination transformation of to the AC case. 
Again, for that purpose we need our powerful version of equational semantic 
labelling, i.e.. Theorem El does not suffice. Let 72. be a TRS over a signature E 

^ Remark made at the 14th Japanese Term Rewriting Meeting, Nara Institute of 
Science and Technology, March 15-16, 1999. 
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and let e G JF be a designated function symbol whose arity is at least one. A 
rewrite rule I ^ r € TZ is called a distribution rule for e if I = C[e{xi, . . . , Xm)] 
and r = e{C[xi], . . . ,C[xm\) for some non-empty context C in which e does 
not occur and pairwise different variables xi, . . . ,Xm- Distribution elimination 
is a technique that transforms 7Z by eliminating all distribution rules for e and 
removing the symbol e from the right-hand sides of the other rules. Let .Fdistr = 
iF \ {e}. We inductively define a mapping distr that assigns to every term in 
T(.F, V) a non-empty subset of T(.Fdistr, V), as follows: 

f {t} if t e V, 

I m 

distr(t) = S U distr(ti) iit = e(ti, . . . , 

i{/(si,- ■ . ,s„) I Sj G distr(t,)} if t = /(ti,.. .,t„) with / yf e. 

It is extended to rewrite systems as follows: 

distr(7?.) = {/ — >■ / I Z — >■ r G 7?. is no distribution rule for e and r' G distr(r)}. 

A rewrite system is called right-linear if no right-hand side of a rule contains 
multiple occurrences of the same variable. The following theorem extends Zan- 
tema’s soundness result for distribution elimination to the AC case. 

Theorem 8. Let 72./F be an ETRS with £ = AC(e) such that e does not occur 
in the left-hand sides of rewrite rules of TZ that are not distribution rules for e. 
If distrlfJZ) is terminating and right-linear then TZjE is terminating. 

Proof. We turn the set of finite non-empty multisets over T(lF<iistr)V) into an 
iF-algebra A by defining 

f (M „ ^ I G Mi for all 1 ^ t ^ n} if / yf e, 

|MiUM2 if/ = e 

for all function symbols f G E and finite non-empty multisets Mi ,... , of 
terms in T(.Fdistr, V). (Note that n = 2 if / = e.) We equip A with the (well- 
founded) partial order ^ where t . One easily shows that 

{A, is a monotone iF-algebra. It can be shown (cf. the nontrivial proof of 
Theorem 12 in m) that 

1. I =_4 r for every distribution rule I ^ r G TZ, 

2. I r for every other rule I ^ r G TZ. 

For (2) we need the right-linearity assumption of distr(T^). From the definition of 
CA we obtain e{x,y) =a e{y,x) and e{e{x,y), z) =a s{x,e{y,z)). Hence (Fl, 
is a quasi-model oiTZjE. 

Define the (monotone) labelling I as follows: if = f a for all function symbols 
/ yf e. According to TheoremElit is sufficient to show that TZj£\^\^ is terminating. 
Define the precedence □ on .Flab as follows: / Z1 g if and only if either / yf e 
and g = e or f = f'j^ and g = g'jn with M ((>- U >)^)mui IV. Note that □ is well 
founded. We claim that 7Z is precedence terminating with respect to □. Rewrite 
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rules in Dec are of the form fM{xi , . . . , x„) — >■ /jv(xi, . . . , x„) with M )^nmi N 
and thus /m □ Jn- For rules in T^iab we make use of the following property, 
which is not difficult to prove: 

3. if t <1 r then [a](r) >nmi [o](^) for every assignment a. 

Now let I —>■ r € 7?-iab- By definition there is an assignment a: V — )■ T(^distr, V) 
and a rewrite rule I' ^ r' G TZ such that I = laba(l') and r = labo,(r'). Since 
root(Z') ^ e, the label of the root symbol of I is [a](Z'). If e occurs in r' then 
root(l) □ e by definition. Let M be the label of a function symbol in r. By 
construction M = [a](t) for some subterm t of r' . We distinguish two cases. First 
consider the case that Z' — )> r' G 7^ is a distribution rule. Because root(r') = e, t is 
a proper subterm of r' . Property (3) yields [a]{r') >mui [a](^)- We have [a]{l') = 
[a]{r') by (1). Hence [o!](Z') {{>■ U M as required. Next let I' ^ r' gTZ 

be a non-distribution rule. From (3) we infer that [o;](F) [c^](f^) (if t = r' 

then [o!](r') = [a](t) holds). According to (2) we have [o;](Z') l^mui [«](^0- Hence 
also in this case we obtain [a](Z') ((;^ U M. This completes the proof 

of precedence termination of TZ. Since Slab = £ = AC(e), termination of TZjExah 
follows from Lemma Q □ 

Next we show that the right-linearity requirement in the preceding theorem 
can be dropped if termination is strengthened to total termination. A TRS is 
called totally terminating if it is compatible with a well-founded monotone al- 
gebra in which the underlying order is total. Since adding a constant to the 
signature does not affect total termination, from now on we assume that the 
set of ground terms is non-empty. Total termination is equivalent (see 0 The- 
orem 13]) to compatibility with a well-founded monotone total order on ground 
terms. Here, “compatibility” means that la >~ ra holds for all rules I ^ r G TZ 
and all substitutions such that la is a ground term. It should be noted that 
standard termination techniques like polynomial interpretations, recursive path 
order, and Knuth-Bendix order all yield total termination. 

Theorem 9. Let TZjE be an ETRS with £ = AC(e) such that e does not occur 
in the left-hand sides of rewrite rules of TZ that are not distribution rules for e. 
If distrlflZ) is totally terminating then TZl£ is terminating. 

Proof. There is a well-founded monotone total order on T{tFdistr) which is 
compatible with distr(72.). We turn T(iF<jistr) into an iF-algebra A by defining 
/_4(ti, ...,tn) = fih, . . . An) 'd f ^ e and fA{h, ■■■An) = max{ti,t 2 } if / = 
e for all symbols f G J- and terms ti,...An in T(.7^distr)- We equip A with 
the (well-founded) partial order One can show that (A, ^) is a monotone 
J^-algebra. It is not difficult to verify that I =a r for every distribution rule 
I ^ r G TZ and the two equations I k, r G £■ An easy induction proof shows that 

1. for all terms r G V) and assignments a there exists a term s G distr(r) 
such that [a](r) = [a](s). 

Using this property, we obtain (by induction on r) that I r for every non- 
distribution rule I ^ r gTZ. Hence (A, ^) is a quasi-model olTZ/£. 
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Define the (monotone) labelling I as follows: £f = /a for all function symbols 
/ yf e. According to Xheorem|2|it is sufficient to show that 7^/fiab is terminating. 
Define the precedence □ on as follows: / □ 5 if and only if either / yf e and 
g = e or / = /' and g = g[ with s ()^ U >)+ t. Note that Zl is well founded. The 
following property is not difficult to prove: 

2. if t <1 r then [a](r) > [a](t) for every assignment a. 

However, [o;](r) > [a:](t) need not hold (consider e.g. t < e{t,t)) and as a con- 
sequence the labelled distribution rules in TZ are not precedence terminating 
with respect to □. Nevertheless, the precedence termination of the labelled non- 
distribution rules in 7?-iab as well as the rules in Dec is obtained as in the proof of 
Theorem 0 Hence any AC-compatible recursive path order induced by the 
precedence □ that is defined on terms with variables (cf. the proof of Lemma 0) 
will orient these rules from left to right. Let I = C[e{x,y)] — )> e{C[x\,C[y\) = r 
be a distribution rule in TZ and let a be an arbitrary assignment. We claim that 
laba(0 laba(r). Since C yf □, root(laba(^)) □ e = root(labo,(r)) by defini- 
tion. It suffices to show that labo,(/) laba(C[a:]) and labo,(/) labo,(C' [?/]). 

We have labQ(C[a:]) = Ci[x\, \&ha{C[y\) = C2[y\ for some labelled contexts C\ 
and C2, and labc(/) = Ci[e{x,y)] if a{x) ^ ot{y) and labo,(Z) = C2[e{x,y)] other- 
wise. We consider only the case a{x) h ct{y) here. We have C\ [e{x, y)] C\ [x] 
by the subterm property of If a{x) = a{y) then C2[y\ = C\[y\ and 

thus also Ci[e{x,y)] Z^o C2[y] by the subterm property. If a{x) >~ a{y) then 
Ci[e(x,y)] Z^o C2[y\ because the rewrite rule Ci[e{x,y)] — >■ C2[y\ is prece- 
dence terminating. This can be seen as follows. The label of the root symbol 
of Ci[e(x,j/)] is [a](C[x]). Let q be the label of a function symbol in C2[y]- 
By construction q = [o:](t) for some subterm t of C[y]. We obtain [o:](C'[?/]) > 
[a](t) = q from (2). The monotonicity of A yields [a](C[x]) [a](C'[y]). Hence 

[a](C[x]) ()^ U >)+ q as desired. We conclude that TZ/£\sb is terminating. The- 
orem 0 yields the termination oiTZjE. □ 

The above theorem extends a similar result for TRSs in Zantema | 23 ]- Ac- 
tually, in 1231 it is shown that TZ is totally terminating if distr(T^) is totally 
terminating. Our semantic labelling proof does not give total termination of 
TZjE. Nevertheless, the more complicated proof in ^31 can be extended to deal 
with AC(e), so TZjE is in fact totally terminating. 

In Middeldorp et al. ra it is shown that for E = 0 the right-linearity re- 
quirement in Theorem 0 can be dropped if there are no distribution rules in TZ. 
It remains to be seen whether this result is also true \i E = AC(e). We note 
that the semantic labelling proof in m does not extend to TZjE because the in- 
terpretation of e defined there, an arbitrary projection function, is inconsistent 
with the commutativity of e. 
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Abstract. We investigate the possibility of giving a computational in- 
terpretation of an involutive negation in classical natural deduction. We 
first show why this cannot be simply achieved by adding -i-iA = A to 
typed A-calculus: the main obstacle is that an involutive negation can- 
not be a particular case of implication at the computational level. It 
means that one has to go out typed A-calculus in order to have a safe 
computational interpretation of an involutive negation. 

We then show how to equip A^-calculus in a natural way with an involu- 
tive negation: the abstraction and application associated to negation are 
simply the operators /r and [ ] from A/r-calculus. The resulting system is 
called symmetric A/r-calculus. 

Finally we give a translation of symmetric A-calculus in symmetric Xfi- 
calculus, which doesn’t make use of the rule of /r-reduction of A/r-calculus 
(which is precisely the rule which makes the difference between classical 
and intuitionistic proofs in the context of A/r-calculus) . This seems to 
indicate that an involutive negation generates an original way of com- 
puting. Because symmetric A^-calculus contains both ways, it should be 
a good framework for further investigations. 



1 Introduction 

A lot of efforts have been done in the past 10 years to give computational inter- 
pretations of classical logic, starting from the work of Felleisen . Griffin P] 
and Murthy [E!. It has been shown that classical natural deduction allows to 
modelize imperative features added to functional languages like Scheme, Com- 
mon Lisp or ML. Two particular systems, Ac-calculus ( 0 , 0 ) and A/i-calculus 
m, have been intensively studied and the relation between features of lan- 
guages, rules of natural deduction, machines and semantics seems to be well 
understood. 

In the context of sequent calculus, several other computational interpreta- 
tions of classical logic have been constructed following the spirit of Girard’s linear 
logic 0. It is often claimed in this context that computational interpretations 
of negation in classical logic should be involutive, that is -•-•A = A should be 
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realised at the computational level. It is even sometimes claimed that this is the 
distinguishing feature of classical logic. But the real computational effect of the 
involutive character is not clear. 

Systems coming from a natural deduction setting, like Ac-calculus or A/i- 
calculus, don’t have an involutive negation. There is only one exception: the 
symmetric A-calculus of Barbanera and Berardi |2I3| . which is explicitely based 
on an involutive negation, but whose concrete programming counterpart is not 
so well understood. 

This paper is devoted to the study of the possibility of having an involu- 
tive negation in a computational interpretation of the usual natural deduction 
system. 

In section El we discuss in details the possiblity of adding -i-i A = A to typed 
A-calculus (as a way of adding the classical absurdity rule to intuitionistic natural 
deduction). We show that there are two obstacles: negation cannot be a partic- 
ular case of implication and T cannot be an atomic type, contrary to the use 
coming from intuitionistic logic. The fact that negation and implication need to 
have different computational interpretations means that one has to go out typed 
A-calculus in order to have a safe computational interpretation of an involutive 
negation. 

In section 0 we show how to equip A/x-calculus in a natural way with an 
involutive negation: the abstraction and application associated to negation are 
simply the operators ^ and [ ] from A/i-calculus. The resulting system is called 
symmetric A^-calculus. 

In section 0 we give a translation of symmetric A-calculus in symmetric A/i- 
calculus, which doesn’t make use of the rule of /t-reduction of A/i-calculus (which 
is precisely the rule which makes the difference between classical and intuitionis- 
tic proofs in the context of A/i-calculus) . This seems to indicate that an involutive 
negation generates an original way of computing. Because symmetric A/i-calculus 
contains both ways, it should be a good framework for further investigations. 

In the sequel types are designated by letters A,B,C etc., while atomic types 
are designated by P, Q, R, etc. Terms of A-calculus are constructed upon variables 
x,y,z using two rules: 

(abstraction) if cc is a variable and u a term, then Xx.u is a term. 

(application) if u and v are terms, then (u)v is a term. 

Reduction of A-calculus is denoted by > . 

2 About Typed A-Calculus and — i— lA = A 

Let us consider usual typed A-calculus whose types are constructed from atomic 
types using — >•, -• and T (T is considered as an atomic type). We denote this 
system by Judgements are expressions of the form P h u : A, where A is 

a type, u is a term of A-calculus and P is a context of the form x\ : Ai, ..., : A„. 

The rules of derivation of are the following: 
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X : A h X : A 

r, X : A h u : B 
r h Xx.u : A ^ B 

r, X : A \- u : J- 
r h Xx.u : -lA 



Bi \- u : A ^ B B2 V : A 
A, ^2 1“ {u)v : B 

Bi h u : ~<A 7^2 1 “ V : A 

A, A I- {u)v : _L 



We adopt in these rules an implicit management of contraction and weakening. 
Contraction is obtained through the fact that contexts are considered as sets: in 
a conclusion of a rule a context A; A denotes the union of the contexts A and 
A ■ Weakening is obtained by the convention that in a premise of an introduction 
rules, r, X : A denotes a context where x : A doesn’t necessary appear. 

Note that in -lA is identified with A — >-_L. Indeed -i is often considered 

as a derived connective whose definition is precisely ->A = A — >_L. 

Suppose now that we add the rule -i-iA C A, i.e. 

r \- u : -i-iA 
Chit : A 

which is equivalent (up to 77 -equivalence) to the trivial interpretation of the 
absurdity rule 

A X : -<A h u : _L 
r h Xx.u : A 

We call the resulting system j_ . In this system one can prove 
X : A \- Xk.{k)x : A as follows 

k : -I A h k : -'A x : A h x : A 

k : ->A, X \ A \- {k)x : _L 

X : A \- Xk.(k)x : A 

The term Xk.{k)x will play a fundamental role in the examples of sections )!Z.\l 

and 1^1 

We show in the next sections that the system S'^ ^ j_ doesn’t satisfy normal- 
isation and correctness properties. This means that the addition of the rule 
->->A C A (and a fortiori the addition of -i-iA = A) to destroys normal- 

isation and correctness properties. 



2.1 Normalisation 

Proposition 1. Let 6 = Xf.Xx.{Xk.{k)f){f)x. The term {(9)9)9 is typable in 
S*_^ j_ and not normalisable. 

Proof. Let C be a type. One defines C" by induction on n by: = C and 

(jn+l ^(jn 

One proves that h 9 : for each n > 1. We have 

/ : C'^+\x: C" h (f)x : C” 
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Because / : (7"+^ h Xk.{k)f : we have also 

h (Afc.(fc)/)(/)x:C" 

and thus h Xf.Xx.{Xk.{k)f){f)x : i.e \~ 6 : 

It follows that h {{6)9)9 : for each n > 1: it suffices to type the first 

occurence of 9 with the second with and the third with 

Now it is easy to check that {{9)9)9 is not normalisable because 

9 = Xf.Xx.{Xk.{k)f){f)x and 9 reduces in one step to 9^ = Xf.Xx.{{f)x)f and 

{{9^) 9^) 9^ has only one reduction sequence and reduces to itself in two steps as 

follows: 

((01)01)01 = ((A/.Acr.((/)x)/)0i)0i 
0 (Ax.((0i)a;)0i)0i 
> (( 01 ) 01)01 



2.2 Correctness 

In j_ types are not preserved by reduction in an essential way, which forbids 
the derivation of correct programs from proofs. This loss of correctness can be 
easily shown if one extends typed A-calculus to a second order typed A-calculus. 
Let us take for example the simplest such system, due to Leivant m and widely 
developed in I12lldl . which allows to derive correct programs from equational 
specifications of functions. In such a system one can easely prove that Xx.Xy.{x)y 
is a program which computes the exponential y^ . More precisely one has a term 
e, /3?7-equivalent to Xx.Xy.{x)y such that: 
h e : \/vX/v{Nu — >■ {Nv — >■ iVu“)) 

where Nx is the second order type 'iX(yy{Xy — >• Xsy) — ?> (TfO — ?> Xx)) saying 
that a; is a natural number. 

If one adds -i-'A C A, one can prove that Xx.Xy.{y)x is a also a program which 
computes the exponential y^ . In other words, the calculus mixed up x^ and y^\ 
This forbids obviously any hope to derive correct programs in this calculus. 

Proof. Suppose h e : 'iuiv{Nu — >■ {Nv — >■ Nv'^)) . Then 

X : Nu h (e)a; : Nv — >■ Nv"^ and y : -i{Nv — >■ Nv'^),x : Nu h {y){e)x : T . It 
follows X : Nu h Xy.{y){e)x : -t-t{Nv — >■ iVu“) and because -•-•A C A, 

X : Nu h Xy.{y){e)x : Nv — >■ 

Therefore h Xx.Xy.{y){e)x : Nu — >■ Nv — >■ Nv"^ and 
h Xx.Xy.{y){e)x : 'iu'iv{Nu — >■ {Nv — >■ Nv'^)). 

This means that Xx.Xy.{y){e)x is also a program for y^ . But Xx.Xy.{y){e)x is 
/dry-equivalent to Xx.Xy.{y)x: 

Xx.Xy.{y){e)x =/ 3 r, Xx.Xy.{y){Xx.Xy.{x)y)x 
=l3rj Xx.Xy.{y)Xy.{x)y 
=/ 3 r, Xx.Xy.{y)x 
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2.3 Discussion 

The problem behind the examples of sections EH and o appears clearly in the 
following derivation: 

k : ^ B) \- k: ~^{A B) f: A^Bhf: A^B 

k :^{A^ B)J : A^ B h {k)f : _L 
f :A^B h Xk.{k)f : -n^{A B) 

f : A ^ B h \k.{k)f : A ^ B x : A h x : A 

f : A ^ B,x : A h {Xk.{k)f)x : B 

This derivation shows that in j_, the term {Xk.{k)f)x is typable of type B 
in the context f : A ^ B , x : A. But {Xk.{k)f)x reduces to the term {x)f, which 
is not typable in the context f : A ^ B,x : A. Therefore typing in j_ is 
not preserved under reduction. 

This derivation also shows that the addition of the trivial absurdity rule to typed 
A-calculus produces the effect of adding the following rule: 

Bi \- u : A ^ B B2 V : A 

ri,r2 b (v)u : B 

to the usual rule of elimination of implication: 

Bi \- u : A ^ B F2 V A 
ri,T2 b (u)v : B 

The effect of choosing an involutive negation is indeed to induce a symetry at the 
level of application. As the application associated to — >■ cannot be symmetric, 
the only possibility to get a safe calculus with an involutive negation is to keep 
separated the computational interpretations of -■ and — >■. The obvious way of 
doing is to choose two different abstractions and two different applications. 

As shown below there is one more obstacle to an involutive negation in the 
context of typed A-calculus. 

2.4 The Role of _L 

Suppose now that we restrict our system by forgetting — >■. The resulting system 
S'* j_ has the following rules: 

X : A h X \ A 

r X A \- u \ 1 . Bi \- u \ —'A l2 b V A 
r h Xx.u\-'A A;A2 b (u)u : T 

and in addition the trivial absurdity rule: 

r, X : —'A h It : T 
r h Xx.u : A 

We show that normalisation fails for S* j_ . 
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Proposition 2. Let ^ = Xx.Xf.{Xk.{k)f){f)x and y a variable. 

The term (Xk.{k)^){^)y is typable in S'* j_ and not normalisable. 

Proof. We first show that {Xk.{k)f){f)y is typable in S* j_. 

We have x : ±,f : -i-L h {f)x : _L and / : -■_L h Xk.{k)f : -i_L. Therefore 
a: : -L , / : -'-L h {Xk.{k)f)Q)x : _L and a; : _L h Xf.{Xk.\k)f){f)x : -i-i-L. 
Because C _L, we also h Xx.Xf.{Xk.{k)f){f)x : -i_L i.e. h ^ : -■_L. It follows 
h Xk.{k)f : -'-L and j/ : _L h {Xk.{k)f,){f)y : _L . 

Let = Xx.Xf.{{f)x)f. The term (Afc.(/c)^)(^)y reduces to the term 

which has only one reduction sequence and reduces in two steps to itself as 

follows: 

my)C = i{Xx.xMif)x)f)y)C 

> (A/.((/)y)/)r 

> i{C)y)C 

In order to type a non normalisable term in the system S* j_ we have made an 
essential use of the fact that T is an atomic type of the system, which can be 
used to built other type (we used the type -■T). The problem lies in the confusion 
between two uses of T: as indicating a contradiction in a proof and as an atomic 
type. Therefore in order to get normalising calculus with an involutive negation 
we have to forbid T as an atomic type (it can be a “special” type, which is 
outside the system). 

Note that the two obstacles to an involutive computational interpretation of 
negation are completely different. In particular, the examples of sections 12. II and 
lO do not use the fact that T is an atomic type of the system: they hold for the 
system where T is used only for indicating a contradiction in a proof. 

3 Typed A^t-Calculus with —i—iA = A 

In this section, we extend typed A^-calculus in a natural way with an involutive 
negation: the abstraction and application associated to negation are simply the 
operator and [] from A/i-calculus. 

3.1 Ap-Calculus 

Typed A/r-calculus is a simple computational interpretation of classical logic 
introduced in HH. It has both a clear interpretation in terms of environment 
machines and a clear semantics in terms of continuations mim. 

The A/x-calculus has two kinds of variables: the A-variables x,y,z,..., and the 
/r-variables a, (3,^, ... Terms are defined inductively as follows: 

- a: is a term, for x a A-variable; 

- Xx.u is a term, for x a A-variable and u a term; 

- {t)u is a term, for t and u terms; 

- jjia.[(3]t is a term, for t a term and a,/? /r- variables. 

Expressions of the form [/3]t, where j3 is /r-variables and t a term, are called 
named terms. They correspond to type T in typed A/r-calculus. 
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Typed A/z-calculus is a calculus for classical logic, enjoying confluence and strong 
normalisation nag, which doesn’t make use of negation. Types are build from 
atomic types using — >■ only. Type _L is not needed, but is added for convenience 
as a special type denoting a contradiction in a proof (in the context of typed 
A/i-calculus one could also consider it as an atomic type). Judgments have two 
contexts: one to the left for A-variables and one to the right for /r-variables. In 
order to make the symmetric extension easier to understand, we adopt here a 
presentation where the right context is replaced by a negated left context. Of 
course, this doesn’t change the calculus; in particular negation is not needed 
inside types. 

Judgments are expressions of the form F; A h u : A, where is a type, u is 
a term of A/r-calculus, T is a context of the form x\ \ ■■■,Xn ■ An and A a 

context of the form ai : -'Ai, ...,«„ : ~'An- 
The typing rules of A^-calculus are the following: 

X A h X A 



r, X : A; A h u : B 
F: A \- Xx.u : A 



F- A, 



a 



B 



-•A h It : J_ 



Fi; Ai h u : A ^ B F 2 ; A 2 v : A 
Fi,F2; Ai,A 2 h (u)v : B 

F\ A \- u\ A 



F] A \- fia.u : A F; A, a : -'A h [a]u : J_ 

As for typed A-calculus we adopt in these rules an implicit management of con- 
traction and weakening, with the same conventions as in section |3 
The A/r-calculus has two fundamental reduction rules: 



(i?i) (Xx.u)v t> u[v/x] 

{R 2 ) {fia.u)v [> ^a' .u[[a']{w)v / [q\w] 

and in addition simplification rules (like ty-rule of A-calculus): 

(5'i) Xx.(u)x t> u 

{S 2 ) ^a.[a]u [> u 

Simplification rules are subject to the following restrictions: in {Si), x has no 
free occurences in u; in (^ 2 ), a has no free occurences in u. 

In {R 2 ), the term u[[o!'](w)u/[a]w] is defined as the result of substituting to each 
subterm of u of the form [a]rc, the new subterm [a']{w)v. Note that if a has 
type -i(A — >• B), then a' has type ~^B. 



3.2 Symmetric A/x-Calculus 

We introduce an extension of A/r-calculus with an involutive negation, called 
symmetric A/i-calculus. We simply take the abstraction /i and the application [] 
of A/i-calculus as beeing the new abstraction and application corresponding to 
the computational content of this involutive negation. 
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Types of symmetric A/i-calculus are defined as follows: 

A:= P\^P\A^ B\ -n{A B) 
where P denotes atomic types. 

The negation -i is extended to an involutive negation on types in the obvious 
way. 

For convenience, one adds a special type _L . For the reason explained in section 
UM , _L doesn’t belong to the set of atomic types. 

Note that an involutive negation, invites to confuse the rule of introduction of 
negation 

P, X : A h u : _L 
P h fix.u : -<A 

and the absurdity rule 

P, X : -'A h u : _L 
P h ^x.u : A 

and also to have only one kind of variable. 

This is this drastic solution that we adopt with symmetric A/i-calculus, because it 
should better capture the essence of an involutive negation, but more permissive 
ones might also be interesting at the computational level. 



Terms of Symmetric A/t-Calculus. 

Symmetric A/i-calculus has only one kind of variables. Terms are defined induc- 
tively as follows: 

- a; is a term, for x a A-variable; 

- Xx.u is a term, for x a variable and u a term; 

- (t)u is a term, for t and u terms; 

- fj,x.[u]v is a term, for x a variable and u,v terms. 

Expressions of the form [u\v, where u, v are terms, are called named terms. They 
correspond to type _L in typed symmetric A/i-calculus. 

Typing Rules of Symmetric A/t-Calculus. 



X : A h X : A 



P, X : A \- u : B 
P h Xx.u : A ^ B 



Pi \- u : A ^ B P2 V : A 
Pi,P2 b {u)v : B 



P, X : A h u : J- Pi \- u : -•A P2 v : A 

P h ^x.u:-'A A,T2 h [ii]u : _L 

As for typed A-calculus one adopts in these rules an implicit management of 
contraction and weakening, with the same conventions as in section 0 
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Reduction Rules of Symmetric A/x-calculus. 

The symmetric A/i-calculus has the following reduction rules: 

(i?i) (Xx.u)v t> u[v/x] 

{R 2 ) {jJLX.u)v t> ^x' .u[^z \x']{z)v / x] 

{R3) [fJ.X.u]v > u[v/x] 

{Ri) [u]^x.v > v[u/x] 

and in addition simplification rules (like 77 -rule of A-calculus): 

(^i) \x.{u)x > u 

{S 2 ) ^x.[x]u > u 

{S 3 ) ^x.[u]x [> u 

Simplification rules are subject to the following restriction: in (^i), { 82 )^ {S 3 ), x 
has no free occurences in u. 

Symmetric A/x-calculus is clearly an extension of A/i-calculus. Rule (Rl) is the 
usual /3-reduction of A-calculus. Because we make a more liberal use of variables 
in symmetric A/i-calculus, the rule (R2) of /i-reduction is stated in a more gen- 
eral setting than the corresponding rule of A/i-calculus, but his effect is exactly 
the same when restricted to terms of A/i-calculus. 

In A/i-calculus the substituted variable x (which is a /i-variable) always occurs 
in a subterm [xJt/; and the result of the substitution is in this case [^z\x']{z)v]w 
which reduces to [a;'](i(;)7;. This corresponds exactly to the substitution of the 
rule (R2) of A/i-calculus. 

The reduction rule (R2) of symmetric A/i-calculus is simpler to understand with 
typed terms. Suppose that one reduces the term )v^ . One re- 
places in u the occurences of by a canonical term of type ~^{A B) 

which is ^z^^^ .[x'^^]{z^^^)v^ . This term can be thought as a pair {v^, x'^^). 

The two new rules are the rules (R3) and (R4), which correspond respectively to 
a kind /3-reduction for /i and its symmetric, are exactly those of the symmetric 
A-calculus of Barbanera and Berardi 0. 

Note that the rule (R2) introduces a “communication” between — >■ and - 1 , which 
has no real equivalent in the symmetric A-calculus. 

Because of its symmetric nature (appearing in rules (R3) and (R4)), symmetric 
A/i-calculus is essentially not confluent. As in symmetric A-calculus, this non 
confluence could be used in positive way to derive symmetric programs. 

Indeed symmetric A/i-calculus contains two different ways of computing with 
classical proofs: the one of A/i-calculus, based on the specific rule (R2) of /i- 
reduction, which is well understood in terms of machines and continuations; the 
one of symmetric A-calculus, based on rules (R3) and (R4) , which is of a different 
computational nature. The embedding of A/i-calculus in symmetric A/i-calculus 
is obvious and doesn’t make use of (R3) and (R4). In the next section we develop 
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an embedding of symmetric A-calculus in symmetric A/t-calculus, which doesn’t 
make use of (R2). 

4 Interpretation of Symmetric A-Calculus 
in Symmetric A^-Calculus 

In this section, we give a translation of symmetric A-calculus in symmetric Xfj,- 
calculus, which doesn’t make use of rule (R2): reduction involves only the rules 
(Rl), (R3) and (R4). 

4.1 The Symmetric A-Calculus of Barbanera and Berardi 

The types of the system are defined by: 

A:= P\^P\AAB\A\/ B 
where P denotes atomic types. 

An involutive negation on types is defined as follows: 

^(A) = ^A 
^(^A) = A 
~'(A A B) = —lA V ~>B 
~'{A V B) = —<A A ~>B 

There is also a special type _L , which doesn’t belong to the set of atomic types. 

Derivation Rules of Symmetric A- Calculus 

X : A h X \ A 

P \- u A A \- V B P Ui Ai 

P,A h {u,v):AAB r h : Ai V A2 

r, X : A \- u : 1. Thu: -<A A \- v \ A 

7 -, I ^ Y ^-intro A \ I -^ — elim 

1 h Xx.u : -lA P A h u* V : J- 

As for typed A-calculus one adopts in these rules an implicit management of 
contraction and weakening, with the same conventions as in section El 

Reduction Rules of Symmetric A- Calculus 

(/3) Xx.u*v > u[v/x] 

(/?■*■) u*Xx.v > v\u/x] 

(tt) {ui,U2) * (Ti{Vi) > Ui*Vi 

(tt-*-) a-iivi) * {ui,U 2 ) 0 Vi*Ui 
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Symmetric A-calculus is obviously not confluent but enjoys strong normalisa- 
tion m- Moreover its non-confluence can be used in a positive way to derive 
symmetric programs 



4.2 Interpretation of the Symmetric A-Calculus 
in the Symmetric Ap-Calculus 

Connectives A and V are translated as follows: 

Ay B = B 

A A B = ~^{A -A ~'B) 

The rules A-intro, V-intro, -i-intro and -■-elim are translated as follows: 
A-intro 

z : A —>■ —'B \- z : A ^ —'B Bi h u : A 

Bi, z : A ^ —'B h {z)u : —'B J2 \- v : B 

Bi, B2, z : A ^ -•B h [(z)m]u :_L 
Bi,B2 h fj,z.[{z)u]v : —'{A ^ —'B) 



V-intrOi 



V-intr02 



-■-intro 



-i-elim 



z : -lA h z : -<A 


B h u:A 


B,z:^A h 


[z]u : _L 


T, z : -'A h iid.[z]u : B 


B h Xz.fid.[z]u 


: —<A -A B 


z : —<B h z : —<B 


B [- u: B 


B,z:^B h 


[z]u : _L 


B h /iz:.[z] 


u : B 


B h Xd.fiz.[z]u 


: —^A -A B 


B,x : A h 


u : _L 


B h ^x.u 


: 


B\ \- u ~’A 


B2 h V A 



Bi,B 2 h [u]u : _L 



Let T be the translation defined inductively as follows: 
T{x) = X 

T{{u,v)) = fj.z[{z)T{u)]T{v) 

T{ai{u) = Xz.fid.[z]T{u) 

T{a2{u) = Xd.iJ,z.[z]T{u) 
t\Xx.u) = nx.T(u) 
t\u *v) = [T(u)]T(u) 
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As shown before, T preserves types and it is easy to check that T is compatible 
with substitution, i.e. T{u[v/x\) = T{u)\T{v) / x\. We prove now that T preserves 
reduction, in a way which doesn’t make use of rule (R2). 

T{{\x.u} *v)= [^xn^{u)]T(y) 

0 T{u)[T{v)/x] 

= t\u[v/x]) 

T{{ui,U2) * ai{v)) = liiz.[{z)T{ui)]T{u2)]Xz.fid.[z]T{v) 

> [{Xz.fj,d.[z]T{v))T{ui)]T{u2) 

> [fxd.[T{ui)]T{v)]T{u2) 

> [T{m)]T{v) 

= T{u\ * v) 

T{{ui,U2) * (T2{v)) = \fxz.[{z)T{ui)]T{u2)]Xd.^j,z.[z]T{v) 

> [{Xd.fj,z.[z]T{v))T{ui)]T{u2) 

> [fj,z.[z]T[v)]T{u2) 

> [T{u 2 )]T{v) 

= T{u2 * v) 

The symmetric rules are preserved in the same way. 
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Abstract. Bisimulation is generalized from process models to game 
models which are described using Game Logic (GL), a logic which ex- 
tends Propositional Dynamic Logic by an additional operator dual which 
allows for the construction of complex 2-player games. It is shown that 
bisimilar states satisfy the same GL- formulas (invariance), and that an 
atomic bisimulation can be lifted to non-atomic GL-games (safety). Over 
process models, GL forms a highly expressive fragment of the modal fi- 
calculus, and within first-order logic, the game operations of GL are 
complete: they suffice to construct all hrst-order definable games which 
are monotonic and safe for bisimulation. 



1 Introduction 

Among the different notions of process equivalence one can consider, bisimula- 
tion has received much attention especially within the logic community. From 
the perspective of modal logic, there is a tight correspondence between bisimi- 
lar states of a process (Kripke model) and states which make the same modal 
formulas true: Bisimilar states satisfy the same modal formulas, and for cer- 
tain classes of Kripke models (e.g. finite models), the converse holds as well. 
This bisimulation-invariance result makes bisimulation an attractive notion of 
equivalence between Kripke models, since it matches the expressive power of 
the modal language rather well. On the other hand, bisimulation has provided 
a characterization of the modal fragment of first-order logic (FOL). Modal for- 
mulas can be translated into formulas of FOL, and it turns out (see and 
lemma E) that the modal fragment of FOL is precisely its bisimulation-invariant 
fragment. 

This line of investigation and the two main results mentioned can be extended 
from modal logic to Propositional Dynamic Logic (PDL) [ 1 2f \ bj . a logic where 
the modalities are indexed by programs. Programs can be constructed from 
atomic programs using a number of program operations such as sequential com- 
position, iteration, etc., and like modal formulas, PDZ^ formulas are bisimulation- 
invariant. Secondly, iteration- free PDL^programs can be translated into FOL as 
well, raising the question how to characterize the POL^fragment which (trans- 
lations of) PDL^programs define. In |0|, such a result has been obtained: The 
program-fragment of FOL can be characterized as its bisimulation-safe fragment. 
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where roughly speaking a program is safe for bisimulation if it preserves bisim- 
ulation. This result shows that if we take bisimulation as our notion of process 
equivalence and FOL as our language, the program operations provided by PDL 
are complete, i.e. no additional program operations will allow us to construct 
new programs. This result has been extended to monadic second-order logic in 

ca- ^ 

In this paper, we carry the investigation one step further, moving from non- 
deterministic programs (i.e. 1-player games) to 2-player games. In the program 
specification literature, such a move has been useful to obtain intermediate non- 
implementable specifications which contain demonic as well as angelic choices 
m- A formalism such as the refinement calculus models programs and speci- 
fications as predicate transformers, i.e. functions which map postconditions to 
weakest preconditions. This notion is general enough to model games as well as 
programs, and it is the semantic foundation of Game Logic (GL), introduced in 
m- In GL, the program operations of PDL are extended with a new construct 
called dual. In the terminology of games, this operation introduces a role switch 
between the players. 

After introducing game models and GL in the next section, section E| intro- 
duces bisimulation for game models. The first main result of this paper (proposi- 
tion QD shows that Gl^formulas are invariant and Gl^operations safe for bisim- 
ulation. Starting from section 0 we focus on a special class of models, Kripke 
models. For Kripke models, the generalized notion of bisimulation coincides with 
standard bisimulation and GL becomes a fragment of the modal /r-calculus which 
can express properties requiring multiple nested fixpoints. Section 0is devoted to 
the second main result (proposition El : Over Kripke models, iteration- free games 
(like programs) can be translated into FOL, thus defining the game-fragment of 
FOL. The result demonstrates that this fragment is precisely the monotonic 
bisimulation-safe fragment of FOL. 



2 Syntax and Semantics of Game Logic 

GL is a logic to reason about winning strategies in strictly competitive deter- 
mined games between two players who we shall call Angel and Demon. For a 
game expression 7, the formula {"f)f will express that Angel has a strategy in 
game 7 for achieving tp, i.e. he can guarantee that the terminal position reached 
after 7 has been played satisfies <p. Similarly, will express that Demon has 
a strategy in game 7 for achieving cp. 

GL provides a number of operations which allow for the construction of 
complex games: A test game (pi consists of checking through a neutral arbiter 
whether proposition ip holds at that state. If it does, nothing happens (i.e. an- 
other game can be played) and otherwise. Demon wins. The game 71 U 72 gives 
Angel the choice of playing 71 or 72. The sequential composition 71; 72 of two 
games consists of first playing 71 and then 72, and in the iterated game 7*, Angel 
can choose how often to play 7, possibly not at all. More precisely, after each 
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play of 7, Angel can decide whether or not to play 7 another time, but 7 may 
not be played infinitely often (in that case, Demon wins). 

In order to introduce interaction between the players, GL adds an operator 
dual for role interchange: Playing the dual game is the same as playing 7 with 
the roles of the players reversed, i.e. any choice made by Angel in 7 will be made 
by Demon in 7'^ and vice versa. 

Formally, the language of GL consists of two sorts, games and propositions. 
Given a set of atomic games Iq and a set of atomic propositions d>o, games 7 
and propositions ip can have the following syntactic forms, yielding the set of 
games F and the set of propositions/formulas <!>: 

7 := 5 I (/?? I 7; 7 I 7 U 7 I 7* I 7'' 

(f := L\p\^(f \ (fV ip \ ('y)if 



where p € L>q and g € Fg. As usual, we define T := -i_L, [7]:/? := 

(f Alp := -'{-'if V -<ip), (f ^ Ip := ->ip V ip and (f ip := {p ^ ip) A {ip ^ p). 

As for the semantics, given a signature {<1 >q,Fq) of atomic propositions and 
atomic games, a game model (also called neighborhood model or minimal model, 
see 1^) F = (S', {iVgl g G Fo},{Vp\p G ^o})? consists of a set of states S, a 
valuation for each propositional letter p G L>q such that Vp Q S, and a function 
Ng : V{S) -A- V{S) for every atomic game g G /q- We require monotonicity, i.e. 
X QY implies Ng{X) C Ng{Y) for all g G Fq. 

Intuitively, we can think of every state s as being associated with a 2 -player 
game tree for every atomic game g G Fq. Every terminal position of such a 
game tree is associated with a state t G S. Since generally both players will have 
choices in the game, a player will usually not be able to force a particular state 
to come about at the end of the game. Rather, all he can do is force the outcome 
to lie in a particular set Y C S, and the game model specifies the sets of states 
which Angel can force, i.e. s G Ng{Y) holds if Angel has a strategy for ending up 
at a terminal position whose associated state is in E. Given this interpretation, 
the monotonicity requirement is a natural one: If Angel has a strategy to bring 
about a state in Y, then that strategy trivially brings about a state in P' for 
every P' D Y. 

The semantics of formulas and games is then defined by simultaneously ex- 
tending V and N to non-atomic cases: 



V± =0 
=T^ 

b^v-0 “ u 



N^p{X) = jV»(jVff (A)) 

iV„d(A) =N^{X) 

N^^p{X) = N^{X)GNp{X) 

%9{X) =v^nx 

N^,{X) =n{>"c5|xuiv„(r) cy} 



By induction, all Na can be shown to be monotonic, and hence the operation 
fa,x{Y) = X U Na{Y) will be monotonic as well. Thus, by the Knaster-Tarski 
theorem, Na->{X) is the least fixpoint of fa 



Na^{X) = pYfa,x{Y) = flYX U Na{Y) 
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i-e. fa x{Na*{X)) = Na»{X) and for every Z C S, if fax{Z) = Z then 
N^^{X)CZ. 

Finally, we say that ip is true in I = (S', {Ng\g G Iq}, {Vp\p G <?o}) at s G S 
(notation: X^s \= ip) if! s £Vip. Some more standard terminology: ip is valid in X 
(denoted as I (= (/j) iff = S, and ip is valid (denoted as |= (/j) iff it is valid in all 
models, ip and if are equivalent iff \= ip ip . Lastly, ip is a, (global) consequence 
of ip (denoted as ip \= ip) iff for all models X,ifX\= ip then X \= ip. 

3 Bisimulation for Game Models 

Bisimulation provides an answer to the question when two models or processes 
should be considered the same. Different criteria may come to mind depend- 
ing on what aspects of the models one is interested in. If only interested in 
observable properties of processes, one may choose for finite-trace equivalence, 
but if interested in mathematical structure, one may choose isomorphism. These 
equivalence notions (see e.g. 0 for an overview) partition the class of models 
into equivalence classes, and one may order equivalence notions according to 
how fine-grained the induced partition is. While finite-trace equivalence is often 
considered as too coarse and isomorphism as too fine, bisimulation is situated 
between these two extremes. 

As it stands, bisimulation cannot be applied to the game models of GL since 
these models are not processes. As will be discussed in the next section, the 
following definition generalizes the standard notion of bisimulation to the more 
general models used for GL. In a different context, this modification of bisimu- 
lation has been proposed to deal with concurrency in 

Definition 1 (Bisimulation). Let X = (S', {fVg |5 G Xo},{Vp\p G ^o}) and 
X' = {S',{N'g\g G /o},{Vp'|p G ^o}) be two models. Then ~ C S x S' is a 
bisimulation between X and X' iff for any s ^ s' we have 

1. For all p £ s £ Vp iff s' G Vp 

2. For all g G IIq: If s G Ng{X) then 3X' C S' such that s' G N'g(X') and 
Vx' G X' 3x G X : X x' . 

3. For all g G IIq: If s' G N'g(X') then 3X C S such that s G Ng{X) and 
\/x G X 3x' G X' : X ^ x' . 

Two states s G S and s' G S' are bisimilar iff there is a bisimulation ^ such 
that s ^ s' . If we want to make the underlying models explicit, we will write 
{X,s)^{X',s'). 

The notions of invariance and safety generalize the bisimulation clauses from 
atomic to general formulas and games. 

Definition 2 ( GL-Invariance & Safety). A GL-formula ip is invariant for 
bisimulation if for all models X and X' , (I, s) ^ (X' , s') implies X, s \= p 
X' ,s' \= ip. A GL-game 7 is safe for bisimulation if for all models X and X' , 
(X,s) ^ {X',s') implies (1) if s G Nj{X) then 3X' C S' such that s' G iV(,(A') 
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and 'ix' € X' 3x & X : X ^ x' , and (2) if s' G N'^{X') then 3X C S such that 
s G Nj{X) and £ X 3x' £ X' : x ^ x' . 

As an equivalence notion for game models, bisimulation requires that if Angel 
can guarantee if in game g in one model, he must be able to guarantee something 
at least as strong in the other model. If this were not the case, the two models 
could be distinguished by playing g, since Angel can achieve more in one model 
than in the other. The following result shows that GL is sound for bisimulation 
equivalence, i.e. not too expressive: Bisimilar states cannot be distinguished by 
formulas of the language (invariance), and the game constructions provided do 
not produce games which can distinguish bisimilar states either (safety). 

Proposition 1. All GL-formulas are invariant for bisimulation, and all GL- 
games are safe for bisimulation. 

Proof. We prove invariance and safety by simultaneous induction on (p and 
r. By definition, atomic games (formulas) are safe (invariant) for bisimula- 
tion. Consider two models I = (S', {Ng\g G Pq}, {Vp\p £ <?o}) and I' = (S', {N'g\g 
G rQ},{Vp\p G ^o})- For non-atomic formulas, the boolean cases are immedi- 
ate and we shall only show one direction of invariance for {'j)ip. If I, s ^ {j)f, 
s £ Nj(Vp) and so (by safety induction hypothesis for 7 ) there is some X' such 
that s' £ iV(,(A') and for all x' £ X' there is some x £ Vp such that x ^ x' . 
By invariance induction hypothesis for ip, this means that X' C lA, and so by 
monotonicity, s' G ^^((V'^), which establishes that X' ,s' ^ {"f)f. 

As for proving that the game constructions of GL are safe for bisimulation, 
consider first the case of test ipl: If s G Ng,9{X) = Vp D X, let X' := {a;'|3a; G 
X : X ^ x'}, where ~ denotes the bisimulation as usual. Then s' G N'^^{X') by 
induction hypothesis (1.) for ip, and for all x' G X' there is some x £ X such 
that X ^ x' , simply by definition of X' . 

For union, if s G NaupiX) we can assume w.l.o.g. that s G Na{X) and apply 
the induction hypothesis, i.e. for some X' , we have s' G N^(X') and hence also 
s' G KupiX'). 

For composition, suppose that s G Na{Np{X)). Using the induction hypoth- 
esis for a, there is some Y' such that s' G N'^fY') and for all y' £ Y' there is 
a M G N^i^X) such that u ~ y' . Now let X' := {x'\3x £ X : x ^ x'}. We must 
show that s' G N^{N'f^{X')) . For this, it suffices by monotonicity to show that 
Y' C N'f^(X'). So suppose that y' G Y', i.e. for some u G Np{X) we have u ~ y' . 
Using the induction hypothesis for (3, there is some V such that y' G N'^{V') 
and for all v' £ V there is some x £ X such that x ^ v' . Hence V C X' and so 
by monotonicity, y' G N'i^{X') 

Dual: Suppose s G A^Qd(A), i.e. s ^ Na{X). Again, let X' := {x'\3x G X : 
X ~ x'}. It is sufficient to show that s' ^ N'^{X'). Suppose by reductio the 
contrary. Then there is some Z with s G Na{Z) and for all z £ Z there is some 
x' ^ X' such that z ~ x' . From this it follows that Z C X, so by monotonicity 
s G Na{X), a contradiction. 

Iteration: Let X' := {a;'|3a; £ X : x ^ x'} and Z := {z\iz' : z ^ z' ^ z' £ 
N^,{X')}. It is sufficient to show that Na*{X) C Z, and given the definition of 
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Na-^{X) as a least fixpoint, it suffices to show that X U Na{Z) C Z. Supposing 
that X G X and for some x' we have x ^ x', we have x' G X' C N'^,{X'). 
On the other hand, suppose that x G Na{Z) and x ~ x' . Then by induction 
hypothesis, there is some Z' such that x' G N^{Z') and for all z' G Z' there is 
some z G Z such that z ^ z' . But then Z' C N^t(X'), and so by monotonicity 
x' G N'^{N'^,{X')) C N'^,{X') which completes the proof. □ 

4 Games on Kripke Models I: ^t-Calculus 

In the remaining part of this paper, we shall look at a special class of game 
models, namely Kripke models. A Kripke model X = {S,{Rg\g G Xq},{Vp\p G 
^o}) differs from a game model in providing an accessibility relation Rg C S x S 
for every atomic game g G Rq. In Kripke models, atomic games are particularly 
simple since they are 1-player games. For each atomic game, all choices within 
that game are made by Angel so that Angel has complete freedom in determining 
which terminal position will be reached. Thus, sRgt will hold if when playing 
game g at state s, t is a possible final state. To obtain the corresponding game 
model from a Kripke model, let Ng{X) = {s G S\3t G X : sRgt}. Under this 
correspondence, one can easily verify that for Kripke models, definition Q indeed 
reduces to the following standard notion of bisimulation: 

Definition 3 (Bisimulation for Kripke models). LetX = {S,{Rg\g G /q}, 
{Vp\p G ^o}) o-nd X' = (S',{R'g\g G Io},{lU|p g ^o}) iwo Kripke models. 
Then ^ C S x S' is a bisimulation between X and X' ijf for any s ^ s' we have 

1. For all p G d>o: s G Vp iff s' G Vp 

2. For all g G Fq: If sRgt, then there is a t' G S' such that s' R'gt' and t t' . 

3. For all g G Fq: If s' R'gt' , then there is a t G S such that sRgt and t ~ t' . 

Two well-known languages for describing Kripke models are PDF and the 
modal /i-calculus. The language of PDF differs from the language of GF only in 
not having the dual-operator available. Since this operator was responsible for 
introducing interaction between the players, all games which can be constructed 
within PDF will be 1-player games, i.e. nondeterministic programs. 

The /r-calculus introduces fixpoint operators into the modal language, yield- 
ing a logic which is strictly more expressive than PDF (see [E] ) . Besides proposi- 
tional constants the language contains propositional variables X,Y, . . . G Var 
and the set of formulas is defined inductively as 

p-.= F\p\X\^if\p\/ p\ {-jo)p I pX.ip 

where p G Fq, 70 G Iq, X G Var and in pX.ip, X occurs strictly positively in p, 
i.e. every free occurrence of A in yj occurs under an even number of negations. 
Note that in contrast to GF, modalities are always atomic in the /i-calculus. 

Formulas of the /i-calculus are interpreted over Kripke models as before (using 
the corresponding game model), but a variable assignment v : Var ^ 'P(^) is 
needed to interpret variables. The semantics of the fixpoint formula is given by 

v;x.^ = fi{^^ c c T} 
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where differs from in assigning T to variable X. Since ip was assumed 

to be strictly positive in X, monotonicity is guaranteed and fiX.ip denotes the 
least fixpoint of the operation associated with <p{X). 

Inspecting the semantics of GL, one can easily translate Gl^formulas into 
equivalent /i-calculus formulas, demonstrating that GL is a variable-free frag- 
ment of the /i-calculus. While a characterization of the precise expressiveness of 
this fragment is still lacking, some preliminary observations can be made: GL 
is strictly more expressive than PDL, since GL can express the existence of an 
infinite a-path by the formula 

nX.[a]X = 

which cannot be expressed in PDL (see m- More complex properties such as 
“on some path p occurs infinitely often” {EF°°p in CTL* notation) can also be 
expressed (we assume that Pq = {a}): 

vX.pY.{a){{p ^X)yY) = [((a*; a;p?)")*]T 

where vX.ip abbreviates ^p.X.^tp{-^X) and yields the greatest fixpoint of V^(^). 
More generally, if we let go = a and gn+i = {gtY ^ the /r-calculus translation of 
{gn)-L will be a formula of alternation depth n, so that GL formulas cover all 
levels of the alternation hierarchy as defined in m- 



5 Games on Kripke Models II: First-Order Logic 



It is well-known that modal logic and PDL without iteration can be translated 
into POL. In spite of the second-order appearance of Game Logic, a translation 
into POL is possible here as well: The signature contains a unary relation symbol 
Vp for every propositional letter p G <Pot and a binary relation symbol Rg for 
every atomic game g G Pq- Furthermore, we allow for second-order variables 
X, Y, . . . as well. Thus, the unary relation symbols now comprise constants as 
well as variables. As will become clear later, we will not quantify over these 
variables but only use them as a matter of convenience to serve as place-holders 
for substitution; hence, we can still consider the language to be first-order. We 
define the translation function ° which maps a Gl^formula ip to a, FOZ^formula 
with one free variable x, and an iteration-free GDgame 7 to a FOZ^formula with 
two free variables x and Y. 



p° = VpX for p G (pQ 

h<f)° = 

{ip V ip)° = if° \/ 

{{j)ipr = := ip°] 



g° = 3z(xRgZ A Yz) for g G Pq 
{^?)° = A Yx 
{aU p)° = a° \/ p° 

{a;p)° = a°[Y:= P°] 

(«d)o ^ .= ^Yx] 



In this definition, substitution for second-order variables is used as follows: 
Given two FOZ^formulas S and ^ where ^ contains exactly one free first-order 
variable, say x, 5[Y := denotes the result of replacing every occurrence Yt in 
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S by ^[x := t]. As an example, 3z(xRgZ A Yz)[Y := -lYx] yields 3z(xRgZ A -■Yz). 
Some more remarks on notation: . . . ,Xn) refers to a formula (p whose free 

variables (first- and second-order) are among xi, ... ,Xn- When a formula has 
been introduced in this way, . . . , tn) denotes (p[xi := ti, . . . ,Xn := tn], i.e. 
the simultaneous substitution of ti for Xi in ip. 

Regarding the semantics, we can interpret a Kripke model I = {S, {Rg\g G 
Ro}A^p\P £ ^o}) as a first-order model in the obvious way, taking Rg as the 
interpretation of Rg, and interpreting \Jp as Vp. For a unary predicate symbol Vp 
and X C S, let Ip..=x be the model which is the same as I except that Vp = X. 
Given a model I, states si, . . . , G S, sets of states Si,. . . ,Sn C S and a 
FOWormula ip(xi , . . . ,x^, Xi, . . . ,X„), we write I ^ ip[si, . . . . . . ,Sn] 

to denote that ip is true in X according to the standard FOL semantics when x^ 
is assigned the value Si and X^ the value Si. 

The following result states the semantic correctness of the translation func- 
tion. 

Lemma 1 . For all GL-formulas ip, games 7 and Kripke models I = {S, {Rg\g G 
Ro}AK\P G ^o})-21,s \= ip iff I \= :/ 9 °[s] and s € N.f{X) iff X ^ 7 °[s,A]. 

As with the safety result for program constructions, the safety result for game 
constructions makes use of the characterization of the modal fragment of FOL 
as its bisimulation-invariant fragment. The definition of invariance and safety 
(definition |21) which was phrased for GL has its natural first-order analogue: 

Definition 4 (FOL-Invariance &: Safety). A FOL-formula ip{x) is invariant 
for bisimulation if for all models X and X' , (X, s) ^ (X' , s') implies that X |= <^[s] 
iff X' ^ <p[s']. A first-order formula ip(x,Y) is safe for bisimulation if for all 
models X andX' , {X,s) ^ {X' ,s') implies (1) ifX |= ip[s,T] then there is some T' 
such that X' |= ip[s' ,T'\ and for all t' G T' there is some t G T such that t ^ t' , 
and (2) ifX' ^ ip[s' ,T'\ then there is some T such that X ^ ip[s,T] and for all 
t G T there is some t' G T' such that t ^ t' . 

By a modal formula we mean a GI^ formula which only contains atomic games 
(i.e. also no tests). The classic result from 0 can now be stated as follows: 

Lemma 2. A FOL-formula ip(x) is invariant for bisimulation iff it is equivalent 
to the translation of a modal formula. 

For the rest of this section, we will assume that games are iteration-free. 
Call a FOI^formula (p{x, Y) monotonic iff for all Kripke models X and states 
s, X \= ip\s,X] implies X )= <p\s,X'] for every X C X' . Similarly, call a modal 
formula (p monotonic in p iff for all Kripke models X and states s, Xp,—x, s \= p 
implies Xp.-x',s |= <p for every X C X' . Lastly, let Pos{ff) {Neg{(p)) be the 
set of atomic propositions which occur positively (negatively) in <p, i.e. under an 
even (odd) number of negations. Thus, formula <p is strictly positive (negative) 
in p iff p ^ Neg{(p) (p ^ Pos(p)). 

The final lemma needed relates the syntactic notion of positivity to the se- 
mantic notion of monotonicity. It makes use of the Lyndon interpolation theorem 
for modal logic (see e.g. [E|) and the global deduction theorem (taken from [I IjL 
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Lemma 3 (Lyndon Interpolation Theorem). If \= a ^ (3 for modal for- 
mulas a,/3, then there exists a modal formula 7 such that (1) |= a — >■ 7 , (2) 
1= 7 — >■ /3, (3) Pos{j) C Pos{a) n Pos{0), and (4) Neg{'f) C Neg{a) fl Neg{j3). 



Lemma 4 (Global Deduction Theorem). For modal formulas 6 and 7 , 5 |= 

7 iff there is some n > 0 such that ^ (D^J A ... A D":?) — >■ 7 , where each □* 
represents a possibly empty sequence of universal modalities labeled by (possibly 
different) atomic games. 



Lemma 5. A modal formula ip is monotonic in p iff it is equivalent to a modal 
formula strictly positive in p. 

Proof. One can easily check by induction that strictly positive modal formulas 
are monotonic, so we shall only prove the other direction. If ip{p) is monotonic 
in p, then taking a proposition letter q not occurring in ip, we have p ^ q \= 
ip{p) — >■ ip{q) (recall that semantic consequence was defined globally). By lemma 
El we know that 

(□^(p ~^q)A...A n"(p -)> q)) -A (p(p) ip{q)) 

is valid, and as a consequence, 

ip(p) -A ((n^(p -)> 9) A . . . A n"(p -)> q)) -A if{q)) 

is also valid. By lemma|3 this implies that 

ip{p) — 7 > 7 and 7 — >■ ((D^(p -A q) A ... A n”(p — >■ q)) -A ip{q)) 

are valid, for some modal formula 7 which does not contain q and which is strictly 
positive in p. The second conjunct implies that 7 -A ip{p) is valid: For suppose 
X, s 1= 7 and X — {t\X,t \= p}. Then since 7 does not contain q, Ig.^xj s H 7- 
From this it follows that Iq,=x,s |= ip{q) and hence I,s \= ip{p). Thus, ip is 
equivalent to 7 , a modal formula strictly positive in p. □ 

The main lemma we need for our safety result relates monotonic modal for- 
mulas to GI^ formulas of a special kind. 

Lemma 6. Every modal formula ip which is monotonic in p is equivalent to a 
GL-formula {"fjp, where j is a game which does not contain p. 

Proof. We prove by induction that every modal formula ip which is strictly 
positive (negative) in p is equivalent to a Gl^formula {'j)p {~<{‘j)p), where 7 
does not contain p. Then the result follows by lemma El The following table 
provides the equivalent Gl^formulas for every modal formula ip depending on 
whether ip is strictly positive or strictly negative in p. 
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modal formula 


str. pos/neg 


Gl^formula 


ind. hyp. 


P 


pos 


(T?)p 


- 




pos 




- 


q^p 


neg 


A?)p 


- 




pos 


{i)p 


1 = 0 -.( 7 )p 




neg 


-.( 7 )p 


\=P^ il)p 


Pi V P 2 


pos 


(71 u 72 )p 


^ Pt^ {%)p 


Pi V P 2 


neg 


-■((71'' U 72 '')'')p 


\= p^^ ~^{li)p 


{g)p 


pos 


(5; l)P 


\=P^ il)p 


{g)p 


neg 


^{g^',i)p 





□ 

Proposition 2. A FOL-formula Y) is equivalent to the translation of a 
GL-game iff it is safe for bisimulation and monotonic in Y. 

Proof. If ip{x, Y) is equivalent to the translation of a Gl^game 7, then using 
lemma ^ ^ will be monotonic in Y (because N.y is monotonic) and safe for 
bisimulation (by proposition Q . 

For the converse, assume that Y) is monotonic and safe for bisimulation. 
Taking a new predicate symbol Vp which does not occur in tp, ip(x,\/p) will be 
invariant for bisimulation. By lemma |2| i^(x, Vp) is equivalent to the translation 
of a modal formula <5, i.e. \= </j(x, Vp) o S°. Since (/j(x, Y) was monotonic, S 
will be monotonic in p and by lemma 0 ^ 5 -O- {'y)p where 7 is a Gl^game 
which does not contain p, and so |= (/?(x, Vp) o {{'j)p)° ■ It can now be checked 
that 1= (/?(x, Y) o 7°: If I ^ ip\s^X] then given that Vp does not occur in p, 
Ip.-x h Vp)['®] 1-p\=x h ((7)p)°['S]- Since p does not occur in 7, this 

implies that X \= 7°[s,X]. The converse is proved along the same lines. □ 

On the one hand, proposition 0 provides a characterization result for the 
iteration-free games which can be constructed in Game Logic: Gl^games are the 
monotonic bisimulation-safe formulas ^3(x, Vp) of first-order logic (we can simply 
replace the variable Y by a designated unary predicate constant Vp). In other 
words, the game-fragment of FOL is precisely the monotonic bisimulation-safe 
fragment. On the other hand, looking at the set of operations on games which 
GL provides, one may ask whether one could not add other natural operations to 
create new games (e.g. playing games in parallel), thus increasing the expressive 
power of the language. Proposition El demonstrates that if the new game opera- 
tion is (1) first-order definable, (2) monotonic and (3) safe for bisimulation, then 
it is expressible in GL already. As argued before, requirements (2) and (3) are 
natural desiderata for games, i.e. they are minimal requirements for any alleged 
game operation, and so the operations of test, union, composition and dual are 
sufficient to construct all first-order definable games. 

The result concerning bisimulation-safe programs from ||| can be reformu- 
lated to fit the present framework. Semantically, the difference between games 
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and programs lies in the difference between monotonicity and continuity: Call 
a FOI^formula ip(x, Y) continuous iff for all Kripke models I and states s, 
X ^ ip\s, [Jxev there is some X G V for which I |= y)[s, X] holds. Then the 
program-analogue of proposition 0 states that a FOI^formula is equiva- 

lent to the translation of a deprogram iff it is safe for bisimulation and contin- 
uous in Y, where deprograms are dual-free degames. Thus, the dual operator 
makes all the difference between programs and games; without dual, we obtain 
all first-order definable programs, with dual, all first-order definable games. 

6 Beyond First-Order Logic 

The last two sections were concerned with Kripke models rather than game 
models in general. The reason for this restriction is that game models are rather 
unorthodox structures. We do not know of any logical languages besides non- 
normal modal logics and Game Logic which have been proposed for these struc- 
tures. Consequently, this prevents an easy extension of the definability result of 
proposition 0 to GL over general game models. 

Even for Kripke models, the translation into FOL carried out in the previous 
section relied on the restriction to iteration-free games. For programs, a stronger 
definability result covering iteration has been obtained in H3| which charac- 
terizes the class of monadic-second-order definable programs which are safe for 
bisimulation. The proof makes use of the fact that the bisimulation-invariant 
fragment of monadic second-order logic is the /Lt-calculus An extension of 
proposition 0 along these lines however would require a better understanding 
of how exactly GL relates to the p,-calculus. As for the p,-calculus itself, many 
fundamental properties were established only recently, such as completeness m, 
the non-collapse of the alternation-hierarchy 0 and uniform interpolation 0, 
and others such as Lyndon interpolation are still open. 

To summarize, the restriction of the scope of proposition 0 to FOL is due to 
the fact that FOL is one of the logics we know most about and is able to express 
the most fundamental game-operations. When moving to stronger languages 
one has different options available, always depending on the game constructions 
one is interested in. For besides playing a game iteratively, playing two games in 
parallel or interleaved might present another attractive game construction worth 
investigating in relation to bisimulation. 
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Abstract. We prove, in the context of simple type theory, that logical 
relations are sound and complete for data abstraction as given by equa- 
tional specifications. Specifically, we show that two implementations of 
an equationally specified abstract type are equivalent if and only if they 
are linked by a suitable logical relation. This allows us to introduce new 
types and operations of any order on those types, and to impose equa- 
tions between terms of any order. Implementations are required to re- 
spect these equations up to a general form of contextual equivalence, and 
two implementations are equivalent if they produce the same contextual 
equivalence on terms of the enlarged language. Logical relations are in- 
troduced abstractly, soundness is almost automatic, but completeness is 
more difficult, achieved using a variant of Jung and Tiuryn’s logical rela- 
tions of varying arity. The results are expressed and proved categorically. 

Keywords: logical relations, cartesian closed fibrations, interpretations, 
lambda calculus 



1 Introduction 

Logical relations are a standard tool for establishing the equivalence of data 
representations. If one can find a family of relations on corresponding types which 
is a congruence, i.e., are preserved by operations of the theory, and reduces to 
equality on observable types, then clearly observable operations will be equal in 
the two representations. Such a family need not form a logical relation (it may 
form a lax or pre-logical relation |4fl 2j ). but logical relations do provide a way 
to construct such families by induction on type structure. So the establishment 
of a logical relation suffices to determine equivalence of representation at least 
for simple types. It has long been known that for algebraic theories with first 
order operations and equations, equivalent representations are indeed linked by 
a logical relation, see Mitchell [f)l 1 1 )j . It has also long been known that standard 
logical relations are not complete in this sense for higher-order theories. 
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** This author would like to acknowledge the support of an EPSRC Advanced Fellow- 
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The purpose of this paper is to show that by relaxing the definition of logical 
relation, we can extend Mitchell’s completeness result to higher-order theories. 

The approach we take here has two major sources. The first is the work of 
Achim Jung and Jerzy Tiuryn 0, who used a form of logical relations to charac- 
terise lambda definability in the simple type hierarchy. The second is the thesis 
of Claudio Hermida 0, which explores the connection between logical predi- 
cates and logical formalisms expressed as fibrations defined over the semantic 
category. Sadly there is still no really accessible reference for the material and 
ideas in this thesis. 

From a practical angle, the notion of abstract type we use here is quite re- 
stricted as we only consider equationally specified types, albeit with equations 
between higher-order operators. This is also the level of generality of Alimo- 
hamed’s work on definability fp. However, it raises a natural question of whether 
the link with logic exploited in this paper could be further exploited to allow a 
less restrictive specification language. 

Finally, if data abstraction is the study of equivalence of representation, then 
data refinement is the study of improvements. The two ideas are clearly linked, 
and the fundamental notion of this paper, that of being “linked by a logical 
relation”, is closely related to the notion of L-relation in jHj (see also [O]). The 
work of that paper, which is also about data equivalence but from a purely 
categorical perspective, and the work of this paper, and those on lax and pre- 
logical relations [41 1 2j clearly need to be combined at some point. 

A natural question, however, is why we chose to base our work on cartesian 
closed categories rather than Henkin models. 

Henkin models provide a natural extension of classical set-based first-order 
model theory to the higher-order setting of simply typed lambda calculi. Much 
of their appeal lies in the immediacy of this relation. Cartesian closed categories, 
on the other hand, arose out of the desire to express in purely category theoretic 
terms the characteristic properties of function spaces such as those found in Set. 
The formal link with typed lambda calculus, though not surprising in itself, came 
surprisingly late (cf. Lambek and Scott [7|), and prompted a slight redefinition 
of the notion to allow categories which had products but not arbitrary finite 
limits. 

Cartesian closed categories and Henkin models are intimately linked. If one 
starts with a Henkin model of A— >■ one can easily extend it to model the type 
theory with products. Ax— >• (using the fact that the type (Ai x . . . x A„) — )> 
(i?i X ... X Bm) is isomorphic to a product of pre-existing types (Ai —)>(... (An — )► 
Hi) . . .)) X . . . X (Ai —>•(... (An — >■ Bm) . . .))). If one has a Henkin model of typed 
lambda calculus with products, then one can obtain a (concrete) cartesian closed 
category. The objects are types and the morphisms A — B are the elements of 
the function type [A — ^ B] in the Henkin model. Conversely if one has a cartesian 
closed category C, together with a product-preserving functor U : C — > Set, 
then one obtains an applicative structure with product types. The types are 
the objects of the category, and the type A is interpreted as the set UA. This 
automatically has representations of the combinators because of their presence 
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as morphisms in the cartesian closed category. However it is not necessarily a 
Henkin model because in general different elements of the function type may 
represent the same function. If, however, C is a concrete category and U its 
underlying set functor, this will not happen. In that case we do get a Henkin 
model. 

So, from this perspective, cartesian closed categories generalise Henkin mod- 
els. The question is whether that generality, or that difference in structure, is 
useful. We believe that it is. 

One technical difference between the two approaches is apparent if one thinks 
of semantics taken in some kind of sets with structure (e.g. domains). It is natu- 
ral to ask when this collection of sets forms a model of the simply typed lambda 
calculus. The category-theoretic answer is that one has to specify an appropriate 
notion of homomorphism. The resulting category is then either cartesian closed, 
in which case it supports a model structure, or it is not, when it doesn’t. More- 
over, if it is cartesian closed then the structure we use to model the lambda 
calculus is essentially unique. In contrast, it is much less clear what the con- 
straints on a Henkin structure might be, or in what sense the structure would 
be unique if it existed. Essentially the development has to mimic the category- 
theoretic. First one defines an appropriate notion of homomorphism. Then one 
asks whether the set of homomorphisms between two objects can be made to 
carry the structure of the objects we are interested in. Or rather, since it almost 
always can, whether it can be made to do so in a way that makes application 
and the combinators homomorphisms. It is perhaps because of this apparently 
greater complexity that domain theorists and others talk about specific cate- 
gories of domains being cartesian closed, and not about Henkin structures on 
classes of domains. 

Moreover, Henkin models can only talk about models built on sets. This con- 
straint is not always natural. For example it is natural to say that the canonical 
way of viewing a partially-ordered set as a category turns a Heyting (or Boolean) 
algebra into a cartesian closed category. It is not natural to say that they carry a 
Henkin model structure, since that requires presenting the elements of the par- 
tial order as themselves sets. A further example comes from the Curry-Howard 
correspondence. This can be conveniently and precisely expressed by saying that 
there is an isomorphism between a category whose objects are types and whose 
morphisms are /^ry-equi valence classes of A-terms, and a category whose objects 
are propositions and whose morphisms are normalisation classes of proofs. The 
Henkin model account has to be forced to apply to this, most notably because 
in the event that A is not provable, then a proof oi A ^ B cannot adequately 
be described as a function which takes proofs of A to proofs of B. 

We now turn to possible directions for our own future work. First, there are 
links between this work and the work of Honsell and Sannella on pre-logical 
relations. Unfortunately a preliminary account of these links had to be cut from 
this paper for reasons of space. We intend to return to this theme. An obvious 
direction in which to extend this work is to address models of call-by-value 
lambda-calculi such as the computational lambda-calculus HH. 
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2 Contextual Equivalence 

In this section, we give a categorical account of a standard Morris-style contex- 
tual equivalence. As we are working in the context of simple type theory, and 
the theory may well be strongly normalising, we use a denotational rather than 
an operational approach, and observe values produced by computations rather 
than termination. 

The basic structure is as follows. We assume a given cartesian closed category 
C. For instance, C may be the category Set of small sets, or, if we want to be 
sure to include fixed point operators to model recursion, we could consider C to 
be the category of w-cpo’s with least element, and with maps being functions 
that preserve the poset structure and sup’s of w-chains. Other alternatives for 
C include categories generated by axiomatic domain theory |2| , or presheaf cat- 
egories, or toposes. We simply require that C be cartesian closed. The category 
C will represent our base category in which we take our denotational semantics. 

We further assume that we are given a set of observable pairs of types 
Ohs C ob{C) X ob{C). The intuition behind this is that we are allowed to form 
judgements of equality 

X : A \- e = e' : B 

where {A,B)eObs. An alternative approach is to use a set of observable types, 
but we think this accords better with our open-term interpretation of the lambda 
calculus, and will allow a simpler extension to dependent type theory. 

We use the structure of observables to generate a contextual equivalence ~ 
on C, which allows us to compare f ~ g when / and g are maps with com- 
mon domain and codomain: type-theoretically, this amounts to demanding that 
contextually equivalent terms have the same type and are defined in the same 
context. 

Example 1. 1. The underlying category is CPO, and Ohs = {(1, lj_)}. This 

gives one of the standard forms of Morris-style contextual equivalence, in 
which we are allowed to observe termination of closed terms. 

2. The underlying category is Set, and Obs = {{1, Bool)}. Here, there is no 
non-termination, but contexts produce closed terms of type Bool. We can 
observe the boolean produced. 

3. Obs = ob{C) X ob{C). In this case everything is observable. Not surprisingly 
~ is just equality. 
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Definition 1. Given f,g:X — Y, we define ~ by f ^ g if for all {A, B)eObs, 
and for all a : A — > X and : Y — > B, we have 



A 



a 



X 



f 



Y 






B 



equals 



A 



a 



X 



9 



Y 



a 



B 



The category theoretic definition of a congruence is often used to mean an 
equivalence relation on each homset of a category C such that that equivalence 
relation is respected by composition on either side. Here, by a congruence, we 
mean that notion together with invariance under products and exponentials. 
That allows us to make the primary definition of this section as follows. 

Definition 2. We define « to be the largest congruence contained in 

Mercifully, we can characterise « more directly by means of the following 
proposition. We denote the exponential of X raised to the power U by [C/, ^]. 
We follow this convention for exponentials in a category, for exponentials of 
not only objects but maps, and for exponentials of categories, i.e., for functor 
categories, when we need them. 

Proposition 1. Given f,g:X — > Y, the following are equivalent: 
f ~ 9 

for all U, V in ob{C), we have [U,f] x V ^ [U, g] x V 

To prove this proposition, apply the following lemma. 

Lemma 1. Let ~ be an equivalence relation on parallel pairs of arrows of a 
category C. Then 

1. composition preserves and hence Cj ^ is a category and C — > C j ^ is 
a functor if and only f ^ g implies ■ f ■ a ^ (3 ■ g ■ a. 

2. if C has finite products, then Cj ~ has finite products, and passage to the 
quotient preserves them if and only ifl holds and f ^ g implies fxV ^ gxV 
for all V in ob{C). 

3. if C is cartesian closed, then C j ^ is a cartesian closed category and passage 
to the quotient is a cartesian closed functor if and only if 1 and 2 hold and 
f ^ g implies [U, f] ~ [U, g] for all U in ob{C), or equivalently if and only if 
1 holds and f ^ g implies \U, f] xV ^ \U,g]xV for all U,V in ob{C). 

We can also make precise the relationship with Morris-style contextual equiv- 
alence. Any cartesian closed category can be regarded as a model of an applied 
lambda calculus in which we have base types corresponding to the objects of the 
category, and for each morphism / : X — > Y, we are given a term constructor 
(function) /, such that if e is a term of type X, then /(e) is a term of type Y 
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(as in Lambek and Scott jZ]). As usual, a context, C[—] is a term with a hole 
(written [— ]), such that when we plug a term of suitable type into the hole, we 
get something that we can run and observe. Making this precise for typed open 
terms is always messy. The simplest solution is to consider terms in context. In 
that case, we demand 

x:X\-e:Y 
a ■. A \- C[e\ : B 

should be an admissible rule for the type system (here, in order to make C[e] 
directly observable, (A, B) G Obs). This can be achieved by ensuring that 

x:Xh[-]:Y 
a : AhC[-] : B 



is a derived rule. 

Definition 3. Two terms e and e' (more accurately, two terms in the same 
context: x : X \- e :Y and x : X \- e' :Y . . . ) are contextually equivalent, e = e' 
if and only if for all contexts C[—\, M{C[e]} = M{C[e']\, where M{e} is the 
semantics of e as taken in the category C . 

Proposition 2. e = e' if and only if M{e} ~ M{e'}. 

Proof. In the if direction, this is a simple structural induction on the context. In 
the other, it depends on the expressibility of substitution via abstraction, appli- 
cation, and beta reduction, and on the fact that all morphisms in the category 
are expressible as terms in the calculus. 

3 Abstract Types 

An equationally specified abstract type consists of a new type equipped with 
operations linking it to pre-existing types, and certain equations on terms built 
from those operations. The canonical example is stack. For our purposes, we may 
as well have a number of new types, and we interpret the operations as (open) 
terms in context 

x:X\-f-.Y 

where the X and Y may be arbitrary type expressions built up from old and 
new types. This generates an extended lambda calculus in which the equations 
are interpreted as equality judgements 



x:X^e = e' :Y 



Such a system freely generates a cartesian closed category E which comes with 
a cartesian closed functor i : C — E. This functor is injective on objects, but 
in general is neither full nor faithful as we can add extra operations between 
pre-existing types and impose new equations between pre-existing operations. 
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Conversely, given any injective on objects cartesian closed functor i : C — > E, 
the category E is equivalent to a category constructed from C in this fashion, 
as we may generate it using all objects in E\i{C) and take all valid equations. 
So we can take i : C — > E as the extension of C by some abstract types. 

We split this construction into two stages: first adjoin types and operations 
freely to give i : C — > D, and then quotient by the equations to give q : D — > 
D/ K.E- In fact, we shall never use the free property of D and can take it to be an 
arbitrary cartesian closed category. The free property of such a Z? is fundamental 
to the work generalising logical relations for an account of data refinement in (^. 

An implementation of the abstract type back in C is given by a cartesian 
closed functor E : D — >■ C. We do not want to change the interpretation of 
the operations in C, so require F ■ i = idc- We also want the interpretation to 
validate the equations of the abstract type, at least up to a suitable notion of 
observational congruence. We illustrate the problems with the canonical simple 
(but first-order) example: 

Example 2. Let C be Set and let D consist of Set together with the formal ad- 
dition of a type stack together with its operations (empty, top, pop and push) 
and equations (pop(push(n, s)) = s, and top(push(n, s)) = n). An implementa- 
tion amounts to a realisation of the type stack together with its operations and 
subject to its equations in Set in both cases. Consider an array implementation, 
in which stack is implemented by an (unbounded) array and a top pointer, and 
pop simply decrements the top pointer, leaving the array unchanged. In this im- 
plementation, the interpretation of pop(push(n, s)) is not equal to s. Moreover, 
in Set we can apply an operation which reads the stack one place above the 
top pointer, and hence observe the difference. Of course this violates the stack 
abstraction. 

The example above tells us that we cannot make the obvious restriction on 
F: if e = e' is an equation of the abstract type, then F{M{e}) ~ F(M{e'}). 
Instead we must build in the notion that contexts have restricted access to 
abstract types. This leads to the following definition (cf. definitions [Hand E[): 

Definition 4. 1. Suppose F is a functor D — > C, and f,g : X — > Y is a 

parallel pair of morphisms in D, then f g if and only if for all (A, B) 
in Obs, and for all a : iA — > X and j3 : Y — > iB, we have F{P ■ f ■ a) = 
F(P-g-a). 

2. If in addition, C, D and F are cartesian closed, then '^p is the largest 
congruence on D contained in ^p (i.e. f ^p g if and only if for all U,V in 
ob{D), {[U,f]xV) ^f{[U,g]xV)). 

The implementation is valid if and only if all equations x ■. X \- e = e' Y 
hold up to contextual equivalence, i.e., M{e} ^p M{e'}, or equivalently, the 
quotient D — > D j K,p factors through D — > D/ PSp. The only function of the 
equational theory is to restrict the notion of implementation. It has no effect on 
when two implementations are equivalent, and so now plays no further role in 
the story: it just, so to speak, comes along for the ride. 
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Definition 5. Suppose i : C — > D is an injective- on- objects cartesian closed 
functor between cartesian- closed categories, and £ is a set of parallel pairs of 
morphisms in D (which we view as the equations of an abstract type system), then 
an implementation F of {D,£) in C is a cartesian closed functor F : D — > C , 
such that F ■ i = idc, and for all (f,g) € £, F{f) Kip F{g). 

We now observe some properties of that will help us to make precise 
what we mean by two implementations being equivalent. 

Proposition 3. Let F : D — > C be a cartesian closed functor such that F - i = 
idc- Then the following hold of Kip: 

1. for all f,g:X — > Y in D, if F f ks Fg, then f Kip g. 

2. for all f,g:X — Y in C, if f Ki g^ then if ig- 

3. for all f, g : iX — > iY in D, we have f Kip g if and only if F f kh Fg. 

4-. for all f,g:iA — > iB in D, where {A, B)eObs, we have f Kip g if and only 
ifFf = Fg. 

Proof 1. Suppose Ff « Fg. Then, given a : iA — [U,X] x V and (3 : 
[U,Y]xV — ^ iB,wehaye F(f3-(\U,f]xV)-a) = Fp-(\FU,Ff]xFV)-Fa = 
F/3 ■ {[FU, Fg] x FV) ■ Fa = F{(3 ■ {[U, g]xV)- a) 

2. Suppose f Ki g. Then, given a : iA — >• \U, iX] x V and (3 : \U,iY]xV — >■ iB, 
we have F((3-{\U, if] xV)-a) = Ff3-([FU, Fif] x FV) ■ Fa = Fp-(\FU, f] x 
FV) ■ Fa = F(3- {[FU,g] x FV) ■ Fa = F (3 ■ {[FU,Fig] x FV) ■ Fa = 
F{!3- {[U,ig] xV) - a) 

3. Suppose f Kip g. Then, given a : A — >• \U, X]xV and (3 : \U,Y]xV — >■ B, 
we have (3-{[U,Ff]xV)-a = Fif3- {[FiU, Ff] x FiV) • Fia = F{i(3- {[iU, f] x 
iV) ■ ia) = F{i(3 ■ {[iU,g] x iV) ■ ia) = Fi(3 ■ {[FiU,Fg] x FiV) ■ Fia = 
(3 ■ {\U,Fg] xV)-a. The converse has already been shown. 

4. F f Ki Fg if and only if F/ = Fg for observable types. 

Armed with these observations about the interaction of the definitions of « 
and Kip, we can now establish relationships between a pair of interpretations 
F and G, where we understand an interpretation to be defined to be a functor 
F : D — C such that F ■ i = idc. 

Proposition 4. Let F,G : D — > G be two interpretations. Then, the following 
are equivalent: 

1. F and G induce the same equivalence: Kip = ac 

2. F and G induce the same equivalence on observable operations: Kip (obs = 

liObs- 

3. the interpretations of operations between pre-existing types are contextually 
equivalent: for all f : iX — > iY , we have F f kh Gf. 

4 . the interpretations of observable operations are contextually equivalent (in 
fact, equal): for all f : iA — > iB where {A, B)eObs, we have F f kh Gf . 
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Proof. 1 => 2 and 3 4 are immediate. 

2 => 1. Suppose f g : X — >• y, and we have a : iA — >■ \U, X]xV and 
(3:[U,Y]xV — ^ iB. Then F{f3-{[U, f]xV)-a) = F{P-{[U, g]xV)-a). But these 
are between observable types, hence by Proposition 0(4), we have P ■ {[U,f] x 
V)-a P'([U,g] xV)-a. So /?• ([[/, /] xV)-a P' \[U,g] xV)- a; and hence 
by Proposition 1^4) again, we have G(/3 • ([[/, f] xV) ■ a) = G(/3 • {[U, g] xV)-a). 

1 3. Given / : iX — > iY, we have Ff = FiFf, so by Proposition 0^1), 

we have / 'i-Ff- So / i-Ff, and hence by Proposition 03), we have 
Gf ^ GiFf = Ff. 

4 2. Given f,g : iA — ^ iB where {A, B)eObs, suppose / ~f 9- Then 

Ff = Fg. But by hypothesis, Ff = Gf, and Fg = Gg, so Gf = Gg. Hence 

/ ~G 9 - 

Any of the above conditions would be a reasonable definition of equivalence 
of implementation. So the proposition conveniently justifies the following. 

Definition 6. Two interpretations F,G : D — > G are equivalent if they satisfy 
the equivalent conditions of Proposition^ 

Example 3. 1. Suppose F and G correspond to two implementations of stack, 

in both of which the underlying type of stack is the product of an unbounded 
array of integers (giving the stack), and a non-negative integer (giving the 
top pointer). In F, pop is implemented by decrementing the top pointer, and 
leaving the stack unchanged. In G, the top pointer is decremented, and the 
cell popped is set to zero in the array. F and G are otherwise identical. Then 
F and G are equivalent implementations. 

2. It is not necessary for the underlying types to be the same in the two imple- 
mentations, if F is the array implementation of stack mentioned above, and 
G is a list implementation, then F and G will be equivalent exactly when 
they agree about top(empty) and pop(empty). 

4 Logical Relations 

In 0, Ma and Reynolds began by analysing the classical theory of logical re- 
lations for simple types. They focussed on the structure needed to prove the 
fundamental theorem. For binary relations, this amounts to a cartesian closed 
category B equipped with a cartesian closed functor p = {po,Pi) : B — > G x G, 
and that cartesian closed functor is typically a fibration |3j . In their theory, B is 
constructed concretely as a category of relations, and so comes with a standard 
diagonal A : G — >■ B. This is also a cartesian closed functor. 

For instance, consider G being the category Set. Then an object of B consists 
of a pair {X, Y) of sets together with a subset R oi X xY . The diagonal A : 
G — > B is indeed the diagonal in the usual sense, taking a set X to the subset 
{{x,x)\x G X} of A X A. 

The significance of the fact that B has and all the functors preserve cartesian 
closed structure, together with the fact that p = (po,Pi) : B — >• G x G is a 
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fibration, is that logical relations can be defined on base types, and then extended 
inductively on the syntax of type expressions as usual. See 0 for a careful 
analysis of this. Technically, we do not need this much structure for soundness, 
but having it gives a stronger completeness result and a better link in to logics for 
reasoning about the type systems. So we take this structure as a characterisation 
of logical relations, but since our categories are more abstract than those of Ma 
and Reynolds, we require an abstract characterisation of the diagonal. Moreover, 
we would like the diagonal to characterise contextual equivalence, not equality. 

In the standard relational setting, when R C Xq x Xi and S C YqxYi, a map 
in B from i? to S' is exactly a pair of maps /o : Xq — > Yq and f\\X\ — \ Yi, 
such that /o x fi maps R into S, i.e. a pair of maps which respects the relations 
R and S. In our more abstract setting it is not necessarily true that a map in B 
is given by a pair of maps in C, and so we shall regard a pair of maps (/o, /i) 
as respecting the “relations” R and S exactly when there is a map / : R — > S 
such that po{f) = fo and pi{f) = fi- This enables us to pick out the essential 
property we need of the diagonal functor: that if two maps preserve diagonals, 
then they are contextually equivalent. 

Definition 7. Let p = (po,Pi) ■ B — > C x C be a cartesian closed functor, and 
lefD'.C — > B be a cartesian closed functor such that p-T> = A : C — > C x C . 
Then we say T> is diagonal if, for all f : T>X — > T>Y , it follows that pof Ri Pif ■ 

For a formal definition and exposition of the notion of fibration, one may 
see Claudio Hermida’s thesis 0, half of which is about the relationship between 
logical relations and fibrations. The idea is that a fibration with structure, in 
particular cartesian closed structure, provides a category theoretic equivalent to 
having a predicate logic with which one can build logical relations. Formally, the 
definition is as follows. 

Definition 8. A functor p : V — > C is called a fibration if for every object 
X of V and every map of the form g : A — > pX in C, there is an arrow 
g\ : g*{X) — > X in V such that p{g*{X)) = A and p{g*^) = g, and the 
following universal property is satisfied: 

for every arrow f : Z — > X and every arrow h : pZ — > p{g*{X)) such that 
g-h = p{f), there exists a unique arrow k : Z — > g*{X) such that p{k) = h and 
9x-k=f- 

Example j. We recast our major example of binary relations as follows. C is Setx 
Set. The objects of V are binary predicates (formally, a pair of sets (Xq, Xi), to- 
gether with a predicate R{xq, Xi) on them). A morphism from (Xq, Xi, R{xq, Xi)) 
to {Yq,Yi, S{yo,yi)) is a pair of functions (/o,/i), such that 

^ Va:o,a;i. R{xq,Xi) ^ S{fo{xo), fi{xi)) 

If X = (Xo,Xi,R(a;o,a:i)), and g = (gg : Zq — )> Xo, 5 i : — )> Xi), then 

g*(X) = iZo,Z,,R{goizo),9iiz,))). 
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Definition 9. F and G are linked by a logical relation if there is a eartesian 
closed category B and a cartesian closed fibration p : B — > C x C together with 
a cartesian closed functor L : D — > B lying over (F,G) (i.e. po ■ L = F and 
Pi ■ L = G) such that T> = L ■ i is diagonal. 



G 



B 




P = (Po,Pi) 



We can now immediately prove the soundness of this form of logical relation 
for proving equivalence of implementations. 



Proposition 5. If F and G are two implementations which are linked by a 
logical relation, L, then F and G are equivalent. 



Completeness involves a variant of Jung and Tiuryn’s Kripke logical relations 
of varying arity. 



5 Jung-Tiuryn’s Logical Relations of Varying Arity 

In this section, we outline how we prove the completeness part of our main 
result. Given equivalent interpretations F,G : D — > C, we seek a cartesian 
closed fibration p : B — > G x G and a cartesian closed functor from D to 
B. Our construction is motivated by Jung and Tiuryn’s construction of Kripke 
logical relations of varying arity pl , though it corresponds to a variant and not 
their precise construction. (It is possible to prove the result we want in a way 
that corresponds precisely to theirs. The construction is, however, less compact 
and less obviously generalisable.) 

First, Jung and Tiuryn’s choice of name is questionable. Their paper is con- 
cerned with definability in the simple type hierarchy. Definability is a unary 
predicate, and there is a precise sense in which the relations they define are, 
despite appearances to the contrary, unary relations. We try to explain this 
viewpoint below giving first an informal motivational account, and then an ac- 
count of the machinery which can be used to make the presentation rigorous. 
Our informal account will confuse terms and their semantics. 

Jung and Tiuryn’s work can be reconstructed as follows. We want to provide 
an invariance property of the lambda definable functions. We hope this can 
be expressed by a logical relation. In other words, we hope that the set of A- 
definable functions is a unary logical relation. Unfortunately in the standard 
picture, it is not. This is because in the standard theory we can only talk about 
the elements of the sets which are carriers (closed terms), and there are plenty 
of functions which send definable elements to definable elements, but are not 
themselves definable. One way of looking at Jung and Tiuryn’s achievement is 
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that they found a clever way of talking about open terms. This allows us to 
take our operation and apply it to the definable open term “cc” . If the result is 
definable, by e say, then the operation must have been definable by Xx.e. 

In Jung and Tiuryn’s account the open terms appear semantically, and strati- 
fied by context. That is to say we are given a signature of (typed) variables which 
may appear in the operation, and the term (say of type D) appears as a function 
from the set of environments for that signature to D. Instead of viewing this as 
a function, Jung and Tiuryn view it as a tuple whose components are indexed by 
environments, and hence as an element of a relation on D whose arity is the set 
of environments. In order that a property of an open term remains true when we 
enlarge the environment, Jung and Tiuryn use a Kripke structure in which the 
worlds are the possible signatures. This means that from their perspective, what 
they have is a relation which is always on the set D, but whose arity varies as we 
move between worlds. However, another way of looking at the same structure is 
that the relation is always unary, but that the set on which is a relation is the 
set of terms definable at that world, and hence varies from world to world. 

The standard way to obtain logical relations is to take a semantics in Set, and 
to use subsets. A theme of this paper is that this can equally well be regarded 
as using the standard logic of Set. This can be varied by using other categories 
and other logics. The technical tool we use for doing this is to interpret a logic 
as a fibration with structure. If the logic admits T, A, — >■ and V, as well as 
substitution, then it yields a category of logical relations. The observation that 
these operations are all that is required to define product and exponential of 
logical relations should make that immediately credible, even it does not furnish a 
proof. These two approaches meet in the standard logic of predicates interpreted 
as subobjects. 

In standard Kripke logical relations for the simple type hierarchy, we are given 
an indexing category W. The types of the hierarchy are interpreted as constant 
functors in the presheaf topos \W°^ , Set], so {Ad)w = d. Kripke logical relations 
are derived from the natural logic of the topos, that is predicates correspond 
to subfunctors (a subfunctor of F is a functor G such that at each world w, 
Gw C Fw). For connected W, the functor A : Set — >■ [W°P,Set] is a full and 
faithful cartesian closed functor. This means that the simple type hierarchy on 
d in Set is sent by A to the simple type hierarchy on Ad in [W°p, Set]. So we 
can either regard this construction as the form of logical relations obtained from 
a standard logic for a non-standard set in non-standard set theory, or we can 
regard it as a non-standard logic for a standard set in standard set theory. The 
Jung-Tiuryn construction resolves this in favour of the second. 

In the Jung-Tiuryn construction, W is assumed to be a concrete category, 
i.e., a category of sets and functions. So they have a functor J : W — >■ Set, 
which they assume to be faithful (although never using that), and essentially 
what they do is replace the functor A : Set — [W°p, Set] above by the functor 
J : Set — >• \W°P,Set], sending d to the functor Set[J— ,d]. 

We make two minor modifications of this. First we start with a functor, 
F : D — > C. We turn it around to obtain the functor F : G — > [D°p , Set] 
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sending X to the functor C{F—, X) : D°p — Set. We get unary logical relations 
by considering the subobject fibration over [D°p, Set] (the standard logic there), 
and we can take the pullback of that cartesian closed fibration along F to obtain 
a cartesian closed fibration over C (a non-standard logic). This involves some 
delicacy. Although the functor F is cartesian closed, it does not follow that F is 
cartesian closed. But F does preserve finite products, which is sufficient for the 
results we seek. 

Next we take a slightly unexpected binary version of this. It would be normal, 
given a functor K : C — >■ [D°p, Set] to consider the pullback of a fibration over 
[D°P, Set] X ]p°P, Set] along K x K. But that is not what we propose. We have 
functors F,G : C — > [D°P,Set] and we shall take the pullback along F x G. 
We do obtain the result we seek, but this is a most unusual construction. For 
instance, there seems no way to lift F xG to a, functor from the binary subobject 
fibration Sub2{G) over G x G to the binary subobject fibration Sub2{[D°P, Set]) 
over [D°P, Set] x [D°p, Set], but that is a fundamental construction of fibrations, 
simply not one we need here. 

Finally, one needs a little caution. Ideally, we would like the construction of 
our cartesian closed fibration p : B — C x C to be independent of the choice of 
F and G, with F and G only being required in order to construct L : D — > B. 
But we cannot see how to do that: that is a particular sense in which we see 
the relationship with Jung and Tiuryn’s work, as they have an extra parameter 
J : X — > Set in their work too, and it was that extra parameter that inspired 
us. 



6 Completeness of Logical Relations 

In this section, we consider the completeness half of the result we seek. So, given 
a pair F,G : D — >■ G of equivalent interpretations, we seek a cartesian closed 
fibration p : B — >■ G x G and a cartesian closed functor L : D — >■ B lying over 
{F, G) such that the composite L ■ i is diagonal. 



G 



B 




P = (Po.Pi) 



As mentioned in the previous section, given an arbitrary functor F : D — > G, 
we consider the functor H : G — ^ [D°P,Set] that sends an object A of G to 
the functor G{F—, X) : D°p — Set. It follows from the Yoneda lemma that we 
have 



Proposition 6 . For any F : D — > G , if G has finite products, then the functor 
F : G — > [D°P, Set] preserves finite products. 
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Also, as a standard example of a fibration 0, we have 

Example 5. Let C be any category with finite limits. Let Sub 2 (C) have objects 
(X, Y, R ^ X X Y) consisting of a pair {X, Y) of objects of C together with a 
subobject R oi X xY , and with the evident arrows. Then the forgetful functor 
Sub^iC) — >■ C X C is a fibration. If C is cartesian closed, the fibration is a 
cartesian closed fibration. It is the standard fibration of binary predicates for C. 

Proposition 7. Given eategories C and C with finite products, a finite product 
preserving functor K : C' — > C, and a finite product preserving fibration p : 
V — > C, then the pullback K*(fP) of p along K gives a finite product preserving 
fibration K*(fP) over C . 

A proof of this result appears in Hermida’s thesis 0, but it can also be 
verified by direct calculation. 

Corollary 1. Given F,G : D — > C where C has finite products, the pullback 
of Sub 2 [D°P , Set] along F x G gives a finite product preserving fibration {F x 
G)*{Sub 2 [D°P, Set]) over CxC. 

In fact, the fibration {F x G)*{Sub 2 \D°P ,Set]) is the one we want, so we 
shall duly denote it by B. This is essentially a sconing of the ordinary binary 
subobject fibration on the presheaf category [D°P,Set]. It is easy to prove by 
direct calculation, using some pullbacks in the presheaf category, that we have 

Theorem 1. Given F,G : D — > C , supposing C is cartesian closed, then B = 
(F X G)* {Sub 2 [F)°P , Set]) is a cartesian closed fibration over CxC. 

Proof. The only point here that requires checking is that B is cartesian closed 
and that the functor to C x C preserves the cartesian closed structure. This fol- 
lows from a careful analysis of what the objects of B are. Given an object (X, X') 
of C X C, an object of B over (X, X') is a subfunctor of C{F—,X) x C{G—,X'). 
Using cartesian closedness of Sub 2 {[D°P , Set] over [D°P,Sef] x [D°P,Sef], given 
subfunctors of C{F—,X) x C{G—,X') and C{F—,Y) x C{G—,Y'), one can 
construct a subfunctor of the exponential [C{F—, X) x C{G—, X'), C{F—, Y) x 
C{G—,Y')]. Finally, taking the pullback of that subfunctor along the canon- 
ical comparison map from C{F—,[X,Y]) x C{F—,[X',Y']) to [C{F—,X) x 
C{G—,X'),C{F—,Y) X C{G— ,Y')] gives the exponential in B that we seek. 

This is a specific example of a general construction . Now we have the data 
we require in order to state and prove our main result. 

Theorem 2. If F and C are equivalent interpretations, they are linked by a 
logical relation. 

Proof. Define B as in Theorem E It remains to define L : D — > B over {F, G), 
prove it is cartesian closed, and prove that L ■ i is diagonal. So for an object d 
of D, define Ld to be the subfunctor of C{F—, Fd) x C{G—, Gd) given by 



Ld{c) = {{g -. Fc^ Fd,h-.Gc^ Gd) | 3/ : c 



d. Ff^gAGf^h} 
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It is routine to verify that L preserves finite products; it takes consider- 
ably greater but still routine effort to verify that it preserves cartesian closed 
structure. It follows directly from the definition and the fact that F and G are 
equivalent that L ■ i is diagonal. 

Combining this completeness result with the soundness result of the previous 
section, we have a combined soundness and completeness result as follows. 

Theorem 3. Two interpretations F and G are equivalent if and only if they are 
linked by a logical relation. 
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Abstract. Existential statements seem to admit a constructive proof 
without countable choice only if the object to be constructed is uniquely 
determined, or is intended as an approximate solution of the problem in 
question. This conjecture is substantiated by re-examining some basic 
tools of mathematical analysis from a choice-free constructive point of 
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1 Unique Existence and Countable Choice 

Following Beeson (|2|, page 25, footnote 16), 

Bridges has observed that in general, existence theorems seem to be con- 
structive when the object whose existence is in question is unique. Otherwise 
put, non-constructive theorems always involve non-uniqueness. ... In prac- 
tice, whenever a theorem is known to be non-constructive, the solution whose 
existence is non-constructive is also non-unique. Conversely, the difficulty in 
constructivizing certain problems . . . seems to be intimately related to the fact 
that the solutions are not known to be (locally) unique. 

The purpose of this article is to reconsider Bridges’s conjecture by concentrating 
on constructive proofs which, in addition, require as little countable choice as 
possible. Making therefore explicit every subsequent invocation of choice prin- 
ciples, we proceed in the context of Bishop’s constructive mathematics ( 0 ; see 
also pni| . and, for a general overview, 0nni)- In its today’s liberal interpreta- 
tion advocated by Bridges, Richman, and others (see, e.g^ E2I), this is, roughly 
speaking, mathematics carried out by intuitionistic logiqj, and thus simultane- 

^ Anybody questioning whether ex f also quodlibet (EFQ) is really used in constructive 
practice might take into account that, even within minimal logic, EFQ is equivalent 
with (P V Q) A ~<Q — >■ P. 
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ously generalises classical, (constructive) recursive, and intuitionistic mathemat- 
ics. According to Bridges 0, constructive mathematics in Bishop’s sense is also 
suitable as a framework for computational analysis of whatever kind. 

Here is our first and guarded claim: 

Locally unique existence is closely related with choice-free construction. 

One might be able to by-pass choice also in many — if not all — of the rather 
frequent situations where a particular problem possibly has several solutions: 

— uniqueness can be forced by gathering beforehand all the solutions which 
belong to each other in a natural way; 

— the question of local (non)uniqueness can be avoided from the outset by 
concentrating on approximate instead of exact solutions. 

Postponing examples that illustrate either point, let us notice that the former 
supports the claim we made above whereas the latter leads to the second half of 
our thesis: 

Constructions of approximate solutions do presumably not require choice. 

We now briefly explain the role of choice principles within constructive mathe- 
matics. Although the axiom of choice in its full form can never be transferred to 
any constructive framework for entailing the certainly nonconstructive principle 
of tertium non daterOl two special cases have yet frequently been invoked by 
most constructive mathematicians: 

Countable Choice (CC). Given a sequence (A„)„grj of nonempty sets, there 
is a sequence (an)neN such that a„ G for every n G N. 

Dependent Choice (DC). If A is a nonempty set and S C A x A such that 
for every a G A there is some a' € A with (a, a') G S, then for each qq € A 
there is a sequence (a„)„gN ^ A, beginning with oq, such that (an,a„+i) G S 
for all n G N. 

^ Diaconescu and Goodman-Myhill HH| have proven this within intuitionistic 
topos theory and constructive set theory, respectively, supposing that — as usual in 
constructive mathematics, too, where equality is a defined relation — any (choice) 
function / is extensional, that is, x = y => f{x) = f(y) for all x,y. 

Let us briefly summarise this argument, following [[]. Given any proposition P, 
consider the sets 

A = I® G {0, 1}: P V ® = 0}, i? = {a: G {0, 1}: P V 1 = 1} , 

and note that both A and B are nonempty for 0 G A and 1 G P in any case. If 
/ : {A,P} — >■ A U P is a choice function for these data, that is, a = f{A) G A 
and b = /(P) G P, then both P V a = 0 and P V b = 1 or, equivalently, either P 
ora = 0Ab=l; whence we only have to derive ~iP from a = 0Ab=l. To this 
end, assume P; then A = {0, 1} = P and thus a = b hy the extensionality of /, a 
contradiction. See also footnote 0 
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Whereas countable choice is nothing else but the countable version of full choice, 
dependent choice is slightly stronger, but appears to be indispensable whereever 
infinite sequences are ‘constructed’ step-by-step. The justification of either prin- 
ciple common to nearly all schools of constructive mathematics is based on 
the Brouwer-Heyting-Kolmogorov interpretation (BHK) of any Vn3a statement, 
which says that some algorithm n a has to be in the background. Moreover, 
since integers are said to be given as such, not requiring any extra presenta- 
tion, every (of course, deterministic) algorithm fed with integer inputs defines a 
function with integer arguments — in other words, a sequenc^. 

In spite of this good argument for accepting countable and dependent choice, 
there are just as good reasons for rejecting these putatively constructive choice 
principles. The idea to refrain from their use in constructive mathematics was 
brought up by Ruitenburg nq and subsequently put forward by Richman I2HI; 
further substantial steps in the direction of a choice-free constructive mathemat- 
ics have been made since. We refer to pni for an overview from Richman’s own 
standpoint, including several case studies which clearly show the virtues of doing 
constructive mathematics without countable choice. 

One of the main counterarguments is that the use of choice for solving 
parametrised equations seems to hinder the solutions from depending continu- 
ously upon the parameters: choice might enable us to switch between the different 
branches of the solution, thus producing points of discontinuity; even ‘choosing’ 
a fixed branch would become rather useless as soon as we cross some branching 

® Nothing else but BHK stands also behind the derivation of the choice principle 
particular to Martin-Lof’s intuitionistic type theory (ITT); see pages 50-52 of |53. 
This circumstance has even been noted expressis verbis in the middle of page 50 ibid.: 
“The same idea [the justification of choice by means of BHK] can be put into symbols, 
getting a formal proof [of the choice principle in ITT] . . . ” . Because the domains of 
choice functions in ITT are allowed to be ‘sets’ without any apparent restriction, it 
is necessary to stress that in ITT every set has to come along with special rules for, 
e.g., introduction and elimination (op.cit., page 24), just as N is formed from the 
initial element 0 by the successor operation and embodies the principle of induction. 
If only in this sense, choice in ITT could be related with CC, notwithstanding the 
fact that, unlike N, sets in ITT are in general neither denumerable nor equipped 
with a decidable equality. 

In view of the fact that ITT is a definitely constructive theory, it is reasonable to 
ask why the provability of the choice principle belonging to ITT does not conflict with 
what we have recalled in footnote El namely, that the full axiom of choice entails the 
law of excluded middle. The answer to this question is neither that, unlike sometimes 
suspected, choice functions in ITT need not be extensional (in general, they need), 
nor that A and B do not fit the demands of a set in ITT (in spite of their somewhat 
pathological character, they do). What hinders us from applying the ITT version 
of choice to this situation is rather that, in ITT, something like {A,B} cannot be 
equipped with the extensional equality according to which A and B are identified 
precisely when they possess the same elements — an essential assumption in footnote 
0 Such set formation, however, becomes possible as soon as ITT is enriched by 
extensional power sets or effective quotients, constructors which indeed infect ITT 
with classical logic; see Maietti m and Maietti- Valentini m- 
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point. If, on the other hand, the solutions are uniquely determined by the pa- 
rameters, such discontinuity phenomena are impossible; moreover, solutions are 
then functions in the parameters and thus continuously dependent on the latter. 
In constructive mathematics, namely, solutions have to be algorithms with the 
parameters as inputs, and functions with discontinuities cannot be defined at 
alQ 

Why exact solutions might require more choice than approximate ones should 
become clearer when choice is viewed as a uniformisation principle, transform- 
ing any V3 statement into the corresponding 3V statement. To this end, let us 
consider some continuous real- valued function / on the unit interval I = [0, 1], 
and suppose that we are given the conclusion of the approximate intermediate 
value theorem, that is. 



(1) Ve > 0 3a; G /: |/(a;)| < e. 

From this fact we could extract — but presumably only by countable choice — 
some sequence (a;„) in I with \f{xn)\ < 1/u for all n ^ 1. Disregarding that, for 
localising some cluster point in I of the sequence (a;„), in most cases we needed 
the sequential compactness of / which is a rather nonconstructive principl^H any 
such cluster point would constitute a witness for 3a: G / : f{x) = 0. 

However, by simply writing this conclusion of the exact intermediate value 
theorem in the less usual but equivalent form 

(2) 3a: G IVe > 0 : |/(a:)| < e , 

one realises which role choice plays in this context: assuming what shall be argued 
for in section El namely, that statements like (1) seem to allow choice- free proofs, 
countable choice proves to be the price one has to pay for the extra step towards 
(2) unless something else helps, for instance, unique existence. 



2 Completeness of Real Numbers 

There are fewer Cauchy reals than Dedekind reals in the absence of count- 
able choic^ which is also very likely to be indispensable for proving any com- 
pleteness property of Cauchy realfl This situation can already be related with 

^ In intuitionistic and constructive recursive mathematics, functions on continuous 
domains such as intervals can even be proven to be pointwise continuous; compare 
[E], chapter 6. 

® See, however, PSl for investigations of the constructive content of this principle. 

® According to |I2^ . pages 138-140, the rationale are embedded as globally constant 
functions into the choice-free intuitionistic model of the reals that consists of all 
the continnous functions on some (classical) topological space. Because statements 
about reals are local properties in this model, every continuous function can be 
approximated arbitrarily closely by rationale, whereas any limit of a sequence of 
rationale has to be locally constant. 

^ Unless Cauchy sequences are equipped with Cauchy moduli in the sense of m 
and [HU, chapter 5. As Richman noticed, a Cauchy sequence of Cauchy reals in 
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(non)uniqueness phenomena: although the limit of some convergent sequence is 
uniquely determined up to equality, no canonical ‘choice’ can be made of any 
rational Cauchy sequence representing a given real number. 

Dedekind reals, on the other hand, admit almost by definition (and without 
choice) the following well-known version of order completeness, which seems to 
be stronger than sequential completeness in the absence of countable choice. 

Least-Upper-Bound Principle (LUB). A nonempty set S of real numbers 
that is bounded above possesses a supremum provided that 
(*) given reals a < fd, either s ^ P for all s € S or a < r for some r € S. 

A supremum of S' is a real number a such that 

> s < O' for all s S S; 

t> if p is a real number with p < a, then p < r for some r € S. 

Note that each supremum of S is a least upper bound in the usual sense; in 
particular, it is uniquely determined, and we may denote it by sup S. Moreover, 
condition (*) is even necessary for the existence of a supremum, and it suffices 
to check (*) for any ordered pair a < P oi rational numbers. LUB is, of course, 
equivalent with the analogous statement about infima, or greatest lower bounds. 

By a Dedekind real we understand a located Dedekind cut in the rationale, 
that is, a pair {L,U) of disjoint nonempty open subsets of Q such that either 
p G L or q G U for all p,q G Q, with p < q. The strict partial order of Dedekind 
reals is given by (L, U) < {L', U') if and only if L' \ L or, equivalently, U\U' 
is nonempty; the weak partial order is given by (L, U) ^ (L', U') if and only if 
L C L' or, equivalently, U' C U. Inequality yf is, of course, the disjunction of < 
and >; equality = as the conjunction of ^ and ^ is nothing else but the usual 
equality relation between pairs of sets. Referring to section 4 of m for further 
details, we write R for the set of Dedekind reals. 

In R, however, as in every constructive model of the reals, one ought to be 
careful with the use of negation: although it is readily seen that x ^ y coincides 
with -i(x > y) and that, consequently, x = y can be identified with -i(x yf p), it 
is quite obvious that x < y and a; yf p are constructively stronger than ->{x ^ y) 
and -<{x = y), respectively. Let us point out that we shall often employ 

(t) X < y ^ X < z\/ z < y , 

an axiom scheme easily justified for Dedekind reals which has proven to be a 
good substitute for the nonconstructive law of dichotomy z ^ OV z p 0. 

Let 94 be an archimedean ordered Heyting field, that is, a model of Bridges’s 
P] set of axioms minus LUB. These axioms (of course, together with LUB) 
embody all the properties of real numbers that are commonly accepted in con- 
structive mathematics, as there is (f); needless to say, R is a perfect model of 

the modulated context is nothing else but a doubly indexed sequence of rational 
numbers, a notion lacking one of the main features of Cauchy sequences in general, 
namely, that they can be utilised for completing arbitrary metric spaces. Compare, 
however, footnote EDI 
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those axioms. In particular, any such 91 contains Q as a dense subfield in the 
sense that for all x, y G 91 with x < y there is some q G Q such that x < q < y. 
The following theorem has been pointed out to us by Fred Richman. 

Theorem 1. LUB is valid for 91 if and only if there is an order preserving 
mapping j : R — >■ 91 that operates as identity on Q. 

Proof. If (T = (L, U) G K, then L C Q — considered as a subset of 91 — satisfies 
condition (*). Provided LUB for 91, set j{a) = sup L; it is routine to verify that j 
is order preserving, and that j|Q is the identity. Conversely, if 5" C 91 fulfills the 
hypotheses of LUB, then as = (Ls, Us) G K with Ls, Us as the open kernels of 

{p G Q \ 3s G S: p < s}, {g G Q I Vs G S': s < g}, 

respectively; moreover, j{as) is the supremum of S. □ 

Let us underline that we shall utilise the notions of Cauchy sequence and of 
convergence of sequences in 91 only when LUB is valid for 91, in order to have 
|x| = max{x, — x} for any x G 91. Indeed, (f) implies (*) for any S of the form 
{xi, . . . , x„}; whence max{xi, . . . , x„} and min{xi, . . . , x„} exist in presence of 
LUB for all xi, . . . , x„ G 91. 

The derivation of sequential completeness from LUB given by Bridges pj 
can easily be rendered choice-free; we nevertheless prove this fact in the way 
particular to Dedekind reals, following page 132 of m-- 

Corollary 1. If LUB obtains for Hi then every Cauchy sequence iniK converges. 

Proof. Each Cauchy sequence (x„) in 93 determines a Dedekind real f = (L^, U^): 
let Lj, U^ be the open kernels of 

{p G Q I 3N\/n ^ N: p < x„}, {g G Q | 3N\/n ^ N: Xn < g}, 

respectively. Moreover, (x„) converges to j(^)- 

Corollary 2. Dedekind reals satisfy LUB and are sequentially complete. □ 

In particular, R is a model of the whole set of Bridges’s axioms |0| , including 
LUB. 

All these results can equally be applied to the formal reals presented by Negri- 
Soravia real numbers developed within the (constructive and predicative) 
formal topology due to Sambin I32I33I . Very roughly speaking, a formal real a 
consists of pairs of rationals p < q such that the open intervals ]p, q[ form a 
neighbourhood base of a. It is easily checked that the natural bijection between 
formal and Dedekind reals is an order isomorphism (compare I2til . sections 5 
and 9); hence we get LUB for formal reals, todl. Every model akin to formal 

® In order to avoid impredicativity, one might interpret the set S in LUB as a family 
indexed by a sufficiently neat set; confer Proposition 6.3 of , which is LUB without 
the hypothesis (*) and thus providing a weak formal real as supremum. Weak formal 
reals, however, are little satisfying because they can hardly have all the features of 
their strong counterparts. For a choice-free proof of the sequential completeness of 
formal reals not employing their weak version, see m, Theorem 8.6. 
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reals therefore appears to be as suitable as Dedekind reals for any choice-free 
approaclI2 however, if only for the sake of a uniform presentation, we have chosen 
to concentrate on the latter: from now on, we understand by a real number always 
a Dedekind real. 

3 Exact Intermediate Value Theorems 

Given real numbers a < b, set [a, 6] = {a: G M : a ^ a; ^ &}. Let us recall the 

Intermediate Value Theorem (IVT). If f : [a,h\ — >■ R zs a continuou^^ 
function with /(a) ^ 0 ^ f{b), then f{x) = 0 for some x € [a, b]. 

Being almost folklore that IVT is nonconstructive unless some hypotheses are 
addecQ, it is noteworthy that the well-known example of a continuous function 
/ that ‘balks’ at IVT is nondecreasing in the sense that x < y ^ f{x) < f{y) for 
all x,y (see, e.g., PS|, 6.1.2). As Helmut Schwichtenberg pointed out to us, the 
classical interval halving argument still applies to functions mapping rationals to 
rationals, such as polynomials with rational coefficients, for which even countable 
choice is unnecessary because the rationals are totally ordered. 

Theorem 2. IVT is valid for every pointwise continuous / : [a, 6] — >■ R with 
/(Q) C Q, provided that a,b € Q or f{a) < 0 < f{b). 

Proof. We may assume a,b G Q: if, e.g., /(a) < 0, then f{a') < 0 for some 
a' G Q n ]a, 6[. Hence there is a uniquely determined nested sequence of nonempty 
intervals In C [a, b] with rational endpoints, beginning with Iq = [a, b], such that 
In+i is the left (right) half of /„ whenever /(c„) ^ 0 (< 0) for c„ G Q as the 
midpoint of In- In particular, (/„) shrinks to a real number x with f{x) = 0. □ 
The putatively most general constructive version of IVT is the one for func- 
tions / that are locally nonconstanf which is to say that whenever a x < y ^ b 
then f{z) ^ 0 for some z G \x^y\. Including the extensive class of (nonconstant) 
real-analytic functions, this extra condition rules out those ‘balking’ functions 
which are locally constant somewhere, but still allows functions to possess multi- 
ple zeros: consider, for instance, f{x) = x^ — c for c ^ 0. Accordingly, dependent 
choice appears to be necessary for proving this form of IVT by approximate 
interval halving (see, e.g., 6.1.5). 

® Notwithstanding the fact that a rather general choice principle is a built-in tool of 
formal topology, as of ITT; see footnote 0 

Albeit following Bishop’s supposition that any continuous function on [a, b] is uni- 
formly continuous (|3], page 38), we shall subsequently make explicit when pointwise 
continuity suffices. What Bishop simply postulated fails in constructive recursive 
mathematics but is derivable in intuitionistic and, of course, in classical mathemat- 
ics; compare m, chapter 6. 

IVT implies the law of dichotomy (DICH) for real numbers which in turn entails 
the ‘lesser limited principle of omniscience’ (LLPO), a statement provably false in 
constructive recursive mathematics; see H2j, pages 53, 56 for details. In fact, IVT, 
DICH, and LLPO are equivalent, if only by CC. 
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The same proof method was used beforehand (e.g., on page 40 of 0) for the 
IVT for strictly increasirw functions, that are functions / such that x < y => 
f(x) < f{y) for all x, y Ej- Since strictly increasing functions have at most one 
zero, the reader might already expect that countable choice is dispensable for this 
particular type of functions. Indeed, a choice-free proof by interval tesselating has 
recently been noted by Richman (Em, Theorem 4); let us nevertheless provide 
a rather order-theoretic proof. 

Theorem 3. IVT obtains for every strictly increasing pointwise continuous f. 

Proof. Having proven that S' = {x S [a, 5] : /(x) < 0} possesses a supremum, it 
is routine to verify that sup S G [a, b] and /(sup S) = 0. To check the hypothesis 
(*) of TUB, note first that if a < /3 then either a < a V 6 < /I, in which case we 
are done, or a<(3t\a<b and thus max{a,a} < min{6, /3}; in particular, we 
may assume a,P G [a, ^]. For then f{a) < /(/3), either f{a) < 0 or /(/3) > 0; in 
the former case, f{a') < 0 and thus a' G S for some a' G ]a, &], whereas in the 
latter case /? is easily seen to be an upper bound of S. □ 

It is tempting to generalise the choice-free approach to strictly injective func- 
tions, by which we mean those / with x yf y => /(x) yf f{y) for all x,y 0; of 
course, any strictly injective nondecreasing function is strictly increasing. Since 
strictly injective functions are locally nonconstant, one could derive from the IVT 
for locally nonconstant functions (that with choice) that any strictly injective 
continuous / is either strictly increasing or else strictly decreasing, depending 
on whether /(a) < f{b) or /(a) > f{b), respectively. 

There is another positive monotonicity property which at first glance seems 
to be suitable for some IVT without choice, namely, /(x) < f{y) x < y 
for all X, y; this property was named antidecreasing by Mandelkern Any 

nondecreasing function / is antidecreasing provided that / is also strongly ex- 
tensional, which is to say that /(x) yf f{y) => x yf y for all x , y. Since, however, 
all pointwise continuous functions are strongly extensionallj, we cannot expect 
to prove IVT for antidecreasing functions. 

4 Some Approximate Analysis 

Throughout this section, let (M, d) be a metric space, and a,b G M. Recall the 

Approximate Intermediate Value Theorem (alVT). If f : M ^ M. is a 

continuous function with /(a) ^ 0 ^ f{b), then for every £ > 0 there is some 
X G M with |/(x)| < £. 

Note also that, in both sources just referred to, one does not really have to suppose 
f{a) < 0 < fib). 

Note that this property is constructively stronger (and thus more appropriate) than 
its contrapositive f{x) = /(y) x = y for all x,y. 

Bridges-Mahalanobis ITTITT) . who simply called it increasing, have demonstrated 
that this property allows to detect the possible discontinuities of a given function, 
and to extend the domain of any partial function to all points where left-hand and 
right-hand limit exist and coincide. 

See also Ishihara m for the relation between continuity and strong extensionality. 
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We will subsequently investigate conditions on M and / that ensure the validity 
of alVT under these particular hypotheses. Let us stress that we shall frequently 
but tacitly invoke the principle (f) pointed out in section |3 

Although there might well be no path in M that connects a and b, some x 
as in alVT can at least be found on any such path: as we will see later on, alVT 
obtains for intervals. Moreover, the hypothesis 0 S [f{a),f{b)] can be replaced 
by 0 G (/(o), f{b)) where (u, v) = {u + tv : t G [0, 1]} is the convex hull of any 
u,v G 1^3 in fact, given e > 0, either |/(a) — /(6)| > 0, i.e., /(a) ^ f{b) and 
thus, e.g., /(a) < /(&), in which case (f{a),f{b)) = [f{a),f{b)] and we are done 
by alVT; or |/(a) — f{b)\ < e, in which case max{|/(a)|, \f{b)\} < e anyway. 

In |221 and jSS], page 381, a topological space is called connected if C/ fl is 
nonempty whenever C/ U M is a nontrivial open covering. The following fact in 
case M = [0, 1] was noted by Mandelkern | 23 |, who in turn ascribes it to Ray 
Mines and Fred Richman. 

Theorem 4. alVT is valid for every pointwise continuous f provided that M 
is connected. 

Proof. Since M = U UV for the open sets 

U = {x G M : f{x) < e}, V = {x G M : f{x) > — e}, 

there is, by hypothesis, some x G U nV', in other words, |/(a;)| < e. □ 

The connectedness of any interval, however, seems to rely on dependent 
choice (confer m , Theorem 2 and isa,6.i .3); observe that this existential state- 
ment is essentially lacking uniqueness. As Helmut Schwichtenberg notecfl. the 
direct proof of alVT for intervals can nevertheless be rendered choice-free; it suf- 
fices to substitute the approximate interval halving argument still used on page 
40 of 0 by interval tesselating. We will now slightly generalise this method. 

Let us call M almost eonneeted whenever, for all nonempty subsets R, S of 
M, if M = RU S then for every £ > 0 there are r G R, s G S with d{r, s) < e. 

Proposition 1. Every eonneeted metric space M is almost eonneeted. 

Proof. Given % ^ R, S d M with M = RVJ S, the open sets 

U = {x G M : d{x, r) < e/2 for some r G R}, 

V = {x G M : d{x, s) < e/2 for some s £ S'} 

cover M. By hypothesis, there is a; G C/flR; hence d{x, r) < e/2 and d{x, s) < e/2 

for some r G R and s G S, respectively, and thus d{r, s) < s. □ 

Theorem 5. alVT obtains for every uniformly eontinuous f provided that M 
is almost eonneeted. 

Compare jS] and 10.12, 16.4; there is a constructive difference between [m, u] and 
(u, v) for possibly incomparable w, u G R; what we have in general is {u, v) C [w, u] 
for u ^ V and {u, v) = [u, u] for u < v. 

Yet unpublished lecture notes. 
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Proof. Given e > 0, / is uniformly {e/2)-S continuous for some ^ > 0. Since 
M = RU S with 

R= {x € M : f{x) < e/2}, S = {x & M \ f{x) > —e/2}, 

there are, by hypothesis, r G R and s G S with d{r, s) < S; hence |/(r)| < e and 
|/(s)| < e. □ 

Let us furthermore call M nearly connected if for all a,b G M and e > 0 there 
are cq, . . . ,Cn G M such that cq = a, Cn = b, and d{ck, Ck-i) < e for fc = 1, . . . , n; 
in other words, a and b can be connected by a chain of finitely many points in 
M with mesh < e. 

Proposition 2. Every nearly connected metric space is almost connected. 

Proof. For any % ^ R,S G M with M = RU S, pick a G R, b G S. Given e > 0, 
there are cq, . . . ,Cn G M with a = cq, b = Cn, and d{ck, Ck-i) < e for all k. Since 
Co G R, Cn G S, and Ck G R or Ck G S for all k, one can find, by hypothesis, some 
k such that r = Cfc_i G R and s = Ck G S . By construction, d{r, s) < e. □ 

Proposition 3. If M is a dense subset of some pathwise connected space X , 
then M is nearly connected. 

Proof. Let 7 : [0, 1] — >■ X be a path connecting a,b G M. Given e > 0, 7 is 
uniformly (e/S)-^ continuous for some (5 > 0. Gonstruct a tesselation 

0 = to < ■ • ■ < in = 1 

of [0, 1] with mesh < <5, pick Ck G M with d{ck,G{tk)) < e/3 for A: = 1, . . . ,n — 1, 
and set cq = a, Cn — b. Then the chain cq, . . . , c„ in M has mesh < e. □ 

We do not dare to ask under which circumstances the completion of some 
nearly connected metric space is pathwise connected. 

Lemma 1. Each almost connected metric space M is nearly connected provided 
that M = Ml U . . . U Mm for nearly connected subspaces M \, . . . , Mm of M . 

Proof. Given a,b G M and e > 0, we may assume a G Mi and b G Since 
M = RU S ior R = Mi U . . . U Mm-i and S = Mm, there are, by hypothesis, 
r G R and s G S with d{r, s) < e. By induction, one can find a chain with mesh 
< e consisting of finitely many elements of R connecting a and r. □ 

Recall that a metric space M is totally bounded if, for every e > 0, M can 
be covered by finitely many open balls of radius e with centres in M . 

Proposition 4. Each almost connected metric space M is nearly connected pro- 
vided that M is totally bounded, or consists of finitely many path components. 

Proof. In view of Proposition 0 we may assume that M is the union of finitely 
many nearly connected subspaces; Lemma ^ concludes the proof. □ 

Corollary 3. alVT obtains for every uniformly continuous f provided that M 
is a dense subset of some pathwise connected metric space. □ 



522 



P.M. Schuster 



It is noteworthy that we have not yet proven alVT for functions on compact 
intervals — one cannot expect to show constructively that these rather simple 
spaces are pointwise connected, let alone convej0; we need some approximate 
convexity notion instead. 

In section 10 of m, a metric space M is called nearly convex whenever, for 
any x,y G M and A, /r > 0, if d(x, y) < A + /i then c?(x, z) < A and d{y, z) < y, 
for some z G M; furthermore, any subset M of R is called paraconvex whenever, 
for any x,y G M and zGR, ifaj^z^y then z G M. According to 10.13, 
paraconvex subsets of R are nearly convex. 

Proposition 5. If M is a dense subset of an interval, then M is nearly convex. 

Proof. No matter whether real numbers o, b can be compared with each other, it 
is obvious that a ^ x,y ^ b and x ^ z ^ y entail a ^ z ^ 6. In particular, inter- 
vals are paraconvex and thus nearly convex; the latter property is transmitted 
to dense subsets. □ 

Proposition 6. Every nearly convex metric space M is nearly connected. 

Proof. Given a,b G M and e > 0, set cq = o, c„ = b, and po = d{co,Cn). 
Either po < s and we are done, or po > e/2, in which case, by hypothesis, 
there is c\ G M with d(co,ci) < e and d(c„,ci) < po — e/2 = pi. By repeating 
this process with cq, po substituted by Ci, pi, we get — after a finite number of 
steps — some chain cq , ... ,Cn in M with mesh < e. □ 

Corollary 4. alVT is valid for every uniformly continuous f whenever M is a 
dense subset of an interval. □ 

Needless to say, approximate results for intervals can easily be carried over to 
convex subsets of normed spaces. In view of PropositionEI, one might suspect that 
the notions ‘nearly connected’ and ‘nearly convex’ coincide with each other, but 
by removing the hypothenuse from some rectangular triangle one gets a nearly 
connected space that is not nearly convex. However, following the proof of 
Theorem 10.7, where ‘connected’ is supposed instead of ‘almost connected’, we 
realise that for subsets of the line all approximate notions are equivalent. 

Proposition 7. Every almost connected subset M o/R js nearly convex. 

Proof Given x,y G M and A, /i > 0 such that \x — y\ < X + p,, either \x — y\ < 
min{A,/r}, in which case we are done, or x ^ y, hence we may assume x < y. 
For e > 0 with y — x < {X — e) + {p — e) and e < min{A, p}, set 

R = Mr\] — oo,x + X — e[, S = Mr\]y — p + e,+oo[. 

Although it remains to find a Brouwerian counterexample for that compact intervals 
cannot be pointwise connected, there is one for that they cannot be convex: following 
10.10, the assumption that [— |a:|, +|a:|] is convex for given a: G R would enable a 
decision whether a: ^ 0 or a: 0 (this observation answers also the question on page 

69 of |23). In intuitionistic mathematics, Waaldijk has proven that at least the real 
numbers in [0, 1] admitting a ternary expansion form a pathwise connected space; 
note that we cannot expect every real number to possess a ternary expansion osg. 
0.2.1, 0.2.2, 2.1.6). Open intervals, on the other hand, are easily seen to be convex. 
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Since M = R\J S because of?/ — /r + e < x + \ — e, we get, by hypothesis, 

|r — s| < £ for some r G R and s G S'; hence z G Mn]y — y, x + X[ and thus 

|a; — z| < A and \y — z\ < y, for z = r or z = s. □ 

Corollary 5. For each subset M o/R, the following items are equivalent. 

(i) M is nearly convex. 

(ii) M is nearly connected. 

(iii) M is almost connected. □ 

Again, we hesitate to conjecture something like that the closure of a nearly 
convex subset of R is an interval. Note that, finally, Q is nearly convex but not 
connected: \/2 cuts Q into two open halves. 

5 Concluding Remarks 

Although the notion of a strictly increasing function is — at least for practical 
purposes — not as restrictive as it seems to be, the corresponding IVT (with- 
out choice) is less satisfying than that for locally nonconstant functions (with 
choice): unlike the latteijij, the former can hardly be extended to functions on 
arbitrary normed spaces, let alone metric spaces. The case is just as for Cauchy 
sequences versus Dedekind cuts in the ration a, I fP^: general Euclidean space lacks 
the additional structure of the linear continuum that is given by order. In other 
words, there literally is ‘more choice’ in higher dimensions, for instance, of ge- 
ometrical directions, and these possible choices can hardly be by-passed unless 
one abolishes or neglects them by forcing the solutions to be unique or by con- 
centrating on approximate solutions, respectively. By the way, the (choice-free) 
approximate form of IVT is from the very outset not restricted to functions of 
a single variable. 

The phenomenon just mentioned can already be observed in the case of two 
dimensions. When dealing with complex numbers, namely, one is often inclined 
to use polar coordinates z = |z| exp(? arg z), and every complex number z ^ 0 
can indeed be equipped with an argument arg z by means of the (choice- free) IVT 
for strictly increasing functions. However, no argument can be constructed for 
arbitrary — possibly vanishing — complex numbers z: otherwise every real number 
(even those close to 0) would admit some sign ±1, a property which is nothing 
else but the nonconstructive dichotomy principle for real number^^. The situa- 
tion is as for the classical form of IVT that would, of course, suffice for a general 

See Bridges’s generalisation to functions on arbitrary normed spaces [5]. 

As Richman noticed, one might well proceed from the rationals to the reals by 
a method such as Dedekind cuts by which one cannot complete arbitrary metric 
spaces — to speak about a metric requires a notion of real numbers given in advance, 
unless one completes the underlying space and the range of the metric simultane- 
ously. 

See Bridges-Dediu 0 for a direct proof of the facts that polar coordinates imply 
LLPO, and that polar coordinates with the additional property 7^ 1 => z V 0 

even entail the stronger ‘limited principle of omniscience’ (LPO). 
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polar decomposition: solutions of possibly locally constant equations cannot be 
isolated constructively. 

How to calculate nevertheless square roots of complex numbers, a purpose 
for which complex numbers were designed in their origin? Of course, one easily 
derives from = —1 the well-known formulas giving both square roots of a 
complex number z = x + iy, provided that x ^ 0 or y ^ 0. Problems arise, just 
as for polar coordinates, only in the neighbourhood of 0: in order to localise a 
single root of a complex number z close to 0, one has to choose between the two 
possible roots as soon as z ^ 0 turns out to be the case — in other words, choice 
has to enter the stage. 

Some rather specific (and classically valid) countable choice principle pre- 
sented in m happens, however, to suffice for constructing some square root of an 
arbitrary complex number z without making use of the alternative z yf 0 V z = 0, 
namely. 

Weak Countable Choice (WCC). Given a sequence of nonempty 

sets at most one of which is not a singleton, there is some choice sequence 
an €An{n€ N). 

Roughly speaking, WCC enables the extraction of a choice sequence provided 
that there is at most one ‘true choice’ between two possibly different objects, no 
matter at which stage this occurs, if at all. 

More generally, an entirely choice-free constructive proof of the fundamental 
theorem of algebra has been given by Richman in |2B|; his construction produces 
as output the whole ‘multiset’ of roots of any input polynomial, from which one 
can extract a single element by means of WCC; see, again, m for the latter 
method. Note that Richman could only get completely rid of countable choice 
by gathering all roots of some polynomial together and thus forcing the solution 
in question to be uniquely determined, whereas one needs some choice — namely, 
WCC — as soon as one gives up this uniqueness demand in order to get a single 
root. 

After all, one might still suspect that choice-free constructive mathemat- 
ics cannot deal with infinite-dimensional spaces. That, on the contrary, Hilbert 
spaces can well be handled without countable choice has been shown recently in 
where one can found proofs of unique existential statements such 
as 



— the Riesz representation theorem (US), Theorem 3), and 

— the fact that each point in a strictly convex normed space has a closest point 
to any complete located subset (0, Theorem 6), 

as well as various results of approximative character. 

Let us end with a quotation from the same source with which we have started 
our considerations (Beeson page 25, footnote 16): 

He [Bridges] wonders why this is. Logicians, is there a meta-theorem to explain 
it [that constructive proofs are related with unique existence]? 
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We would like to extend Beeson’s question by asking for reasons why construc- 
tions without countable choice seem to require locally unique existence (or some 
turning to ‘approximate mathematics’), reasons somewhat deeper than the mere 
indications we have given in this article. 
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Abstract. In [2| S. Artemov introduced the logic of proofs CP describ- 
ing provability in an arbitrary system. In this paper we present the logic 
CPM of the standard multiple conclusion proof predicate in Peano Arith- 
metic with the negative introspection operation. We establish the com- 
pleteness of CPM with respect to the intended arithmetical semantics. 
Two useful artificial semantics for CPM were also found. The first one is 
an extension of the usual boolean truth tables, whereas the second one 
deals with so-called protocolling extension of a theory. For both cases 
the completeness theorem has been established. 

In the last section we consider first order version of the logic CPM. 
Arithmetical completeness of this logic is established too. 

Keywords: logic of proofs, semantics, protocolling extensions of theo- 
ries. 



1 Introduction 

The study of explicit provability logics or logics of proofs was initiated by 
S. N. Artemov in |J. In |2] he presented the operational logic of proofs CP with 
the atoms “t is a proof of F” and established that every theorem of the modal 
logic Fd admits a reading in CP as the statement about explicit provability. This 
completed the effort by Kolmogorov j5| and Godel m to provide a Brouwer 
- Heyting - Kolmogorov style classical provability semantics for intuitionistic 
logic. 

In addition, it turned out that CP subsumes the A-calculus, modal A-calculus 
and combinatory logic. Recently, it was shown in 0 that this new approach to 
studying provability is useful for design of advanced system of proof verification. 

A semantics for the logic CP was studied in mu. In this paper we present 
two different semantics for the logic of proofs with the monotonicity axiom. In 
sectionOthe logic CPM is introduced. The so called basic semantics is described 
in section 0 In section 0 we prove that CPM is arithmetically complete for the 
multiple conclusion version of the standard Godel proof predicate. In section 0 
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98-01-00249, 99-01-01282, INTAS grant 97-1259, and grant DAAH04-96-1-0341, by 
DARPA under program LPE, project 34145. 
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we introduce the notion of protocolling extension of a theory. The completeness 
of CPM. with respect to interpretations into such an extensions is established. 
In section 0 we consider the first order logic QCVm and prove arithmetical 
completeness theorem for it. 

2 Operational Logic C'PM. with the Monotonicity Axiom 

The language of the logic CVM. is an extension of the propositional language 
with infinite number of proof variables pi,p 2 , ■ ■ ■, symbols of operations •,+,!, ?a 
and binary proof predicate t: F. 

The definition of a proof term and a formula is given as follows: 

1. propositional constants and variables T, T, Sq, Si, . . . are formulas (atoms); 

2. if A, B are formulas then -^A, {A A B), (A V B), {A — B) are formulas too; 

3. proof variables pi,P 2 , • • ■ are proof terms; 

4. if s, t are proof terms then (s • t), (s + t), \t are proof terms too; 

5. if t is a proof term and A is a formula then T A(i) is a proof term; 

6. if A is a formula, < is a proof term then (t:A) is a (quasiatomic) formula. 

Thus, •, +, ! are ordinary functional symbols (binary and unary correspond- 
ingly), while 7a is a unary functional symbol with a formula as a parameter. In 
what follows A{t) means that the proof term t occurs at least once as a subword 
in the formula A. 

Definition 1 The logic CVM is defined by the following axioms (over the propo- 
sitional calculus in the extended language). 

Operational axioms: 

1. s:{A ^ B) ^ {t: A ^ {s ■ t) : B) (composition), 

2. (t : ^) V (s : A) — >■ (t -I- s) : A (non- deterministic choice), 

3. t\ A Mt\{t\ A) (verification), 

4-. -> t: A ^ {7 At): t:A) (negative introspection). 

General axioms: 

5. t'.A^A (reflexivity), 

6. -'(ti : Ai(t 2 ) A f 2 A 2 (t 3 ) A . . . A : A„(ti)| (mono tonicity). 

The rule of inference modus ponens — ^ — . 

This system is an extension of S. Artemov’s logic CV (see 0). We add the 
axiom of negative introspection and the monotonicity axiom (it appeared for 
the first time in ) . The former is an operational version of the modal principle 
-■□A -A- n-iDA from the modal logic 5*5. It has very clear computational mean- 
ing: if some construction denoted by t is not a proof of a formula A this fact 
could be established effectively. The corresponding proof of non-correctness of t 
with respect to A is denoted by 7 A{t). 

The monotonicity axiom characterizes a general property of considered in- 
terpretations, namely the fact that any proof of a formula A is more complex 
then the formula A itself. So, s : A(t) implies s >- t, where ‘V” denotes the cor- 
responding irreflexive order. In the definition of CVM this property is expressed 
without additional symbol for the order relation. 
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3 The Basic Semantics for C'PM. 

Let us consider the language which includes the propositional language, and 
for an arbitrary finite set of formulas 5 = {(^i, . . . , and a formula (p the 
construction [ 8 \p is a formula of . Here are some examples of L'^-formulas: 

[ip,^ip\ipy [ip]p, etc. 

Below, any finite set of L'^-formulas is called a configuration. 

Let * be an evaluation of the propositional variables by the truth values from 
the set {0, 1}. We extend * to all formulas of the language in the following 
way: 

[i^i, . . . , (fikl'fi is true iff all formulas ipi, . . . ,ipk are true (i. e. the configuration 
is correct) and the formula ip coincides with some formula ipi from this set. 

It is clear that the set of valid formulas of the language is decidable and 
could be axiomatized over the propositional calculus in the language by the 
following axioms: 

Dl. [ipi, . . . , (pk]i> A . . . A (/9fe, if V" G {pi, • • • , Pk}] 

D2. ..., (pfe]-)/) otherwise. 

We define the operations •, +, ! and on the set of all configurations such 
that for any configurations (5, <5i, and formulas (p, of the language the 
following holds: 

(•) if {p ^ fi) G (5i and p G 62 then ip G {5\- 82 )', 

(+) if G (5i or e ^2 then p G {Si + S 2 ); 

(!) it p G 6 then g!(i5); 

(?^) it p ^ S then Gl^{S). 

We say that the operations are correct with respect to a given evaluation * 
if when applied to correct configurations they return a correct configuration. 

Note, that the operations defined in the minimal possible way (when the 
result is a minimal configuration which satisfies the conditions above) are correct 
for any evaluation *. 

Definition 2 A basic model for CVM is a triple M = {*,Op,v) where 

* is a truth evaluation of propositional variables; 

Op is a set of operations •, +, ! and l^p which are correct with respect to the 
evaluation *; 

V is a mapping of proof variables of the language CPAi into the set of correct 
configurations of the language . 

The assignment v could be extended to the set of all formulas and proof 
terms of the language CVAi in a natural way. We stipulate that v commutes 
with the boolean connectives and operations •, +, ! and 



v{S,) ^ 



v{t:A) ^ [u(t)]u(H), 



v{?At) ^TviA){v{t)). 
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It is clear that for every proof term t of the language CVA4 the configuration 
v{t) is correct with respect to the evaluation *. A formula A is defined to be true 
in the described model if u(A)* = 1. 

Theorem 1 Let A be any formula of the language LVAi . Then 

CPAi L A iff A is true in all basic models (*,Op,v). 

Proof. (=^>) For the operational axioms of CPAi the statement follows immedi- 
ately from the definition of the correct operations. As an example we check that 
for any basic model M one has 

M ^ s:{A^ B) ^ {t:A^ (s-t):B). 

It means that M \= [w(s)](v(A) — >• v{B)) — >• ([w(t)]w(A) — >• [u(s • t)]v{B)). If 
{v{A) — >■ v{B)) ^ v{s) or v{A) ^ v{f) then the argument is trivial since one of 
the premises turns to be false. If (u(A) — >■ v{B)) G v(s) and v(A) G v{t) then 
by the definition of the operation • the configuration v{s ■ t) is correct in M and 
v{B) G v{s ■ t). So, M \= [w(s • t)]v{B). 

The other operational axioms are treated in a similar way. 

The correctness of the monotonicity axiom follows from the following obser- 
vation. If M 1= ti : A{t 2 ) then the length of the configuration v{ti) (we mean 
the number of symbols in its recording) is greater then the length of v(t 2 ) since 
v{t 2 ) occurs explicitly (as a part of the formula r'(A)) in the configuration v{ti). 
So, in every sequence of formulas of the kind 

tl-Ai{t2), t2'-A2{tf), ..., tn'An{ti) 

one always can find such an element that v{Af) ^ uftf) and so M \= -•ti'.Ai. 

To complete this part of the proof one only need to check that if M \= A ^ B 
and M \= A then M \= B. 

(<^=) Suppose that LVAi \f A and ti,...,tm is an exhaustive enumeration 
without repetitions of all terms which occur in A. Let us fix the set of fresh 
propositional variables Qi,. . . , Qm- We define Xa to be the minimal set satis- 
fying the following conditions. 

1. Each atomic and each quasiatomic subformula of A belongs to Xa- 

2. If a proof term 1st occurs in A and t:B G Xa then 7 st '■ {-'t : B) G Xa- 

3. If a proof term s ■ t occurs in A and s : {B ^ C) G Xa, t: B G Xa, then 
{s-t):CGXA- 

4. If a proof term s -I- t occurs in A and s : B G Xa or t : B G Xa, then 
(s -h t) '- B G Xa- 

5. If a proof term !t occurs in A and t:B G Xa then lt:{t:B) G Xa- 

6. For every atomic and quasiatomic formula from Xa its negation belongs to 
Xa too. 

7. The following formulas ti : {Qi V -•Qi), . . - ,tm- {Qm V -■Qm) belong to Xa 
(this artificial condition is responsible for the injectivity of the constructed 
interpretation; it will be necessary for the definition of operations). 
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Note that the set Xa is finite since for every quasiatomic formula t : B 
from Xa the proof term t occurs in A, and one can show by induction on the 
complexity of t that for any proof term the set of formulas {Bi \ t:Bi G Xa} is 
finite. 

Below, we will write “h” instead of “CVM h”. 

A set of formulas W C Xa is called to be consistent, if 1/ /\ IP — >■ _L . A 
consistent subset W of the set Xa is called to be maximal, if every extension 
of it with a formula from Xa is inconsistent. The following properties of the 
maximal consistent subsets easily follow from the definition. 

Lemma 11 Let W be some maximal consistent subset of Xa- Then 

1. for every atomic or quasiatomic formula B from Xa one has either B GW 

or -•B G W; 

2. for every subformula B of the formula A one has either L /\W -G B or 

\- !\W ^ ^B; 

3. there exists maximal consistent set W such that h /\ TP — >■ ~<A, and all of 

the formulas U : {Qi V ~'Qi) belong to W. 

Let now W denote the corresponding set which satisfies the last statement 
of the lemma. We will construct the model M = {*, Op, v) in the following way. 
The evaluation * is defined as follows: S'* = 1 if 5'^ G IP and S* = 0 otherwise. 

Recall that for propositional variables v(Si) Si- Now we are going to 
define the assignment v for all subformulas and all proof terms in A and then 
the appropriate operations Op will be written down. 

Consider the following order relation on the proof terms which occur in A\ 

t\ ^ t 2 iff t 2 : L){ti) G W for some formula D. 

Recall that W is consistent, so, according to the monotonicity axiom, every chain 
of the kind ti y t 2 ^ ■ is finite. 

Let now t be any minimal (with respect to the defined order) proof term 
such that v{t) is not defined. Then for every formula t: D G W the translation 
v{D) is already defined. Indeed, either D contains no occurrences of other proof 
terms (in this case v{D) = D), or some other proof terms occur in D, which 
are less then t with respect to described order, but the translation v is already 
defined for them, so v{D) is already defined too. Thus, we can define v(t) in the 
following way: 

v{t) {v{D) \t:D GW}. (1) 

Eventually, the translation v will be defined for all proof terms and all sub- 
formulas of A. 

Lemma 12 For every subformula B of the formula A one has 
M\= B iffCVM L /\W ^ B. 
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Proof. Induction on the steps of the described procedure for the definition of the 
mapping v. On the first step the translation v was defined for the propositional 
variables. In this case it is sufficient to note that M \= Si iS Si G W. According 
to the properties of W one has Si GW iS.\- /\W ^ Si. 

The case when B is a boolean combination is trivial. 

Let now B be of kind t : C. By the induction hypothesis for every formula Di 
such that t'.Di G W the translation v{Di) is already defined and 

M h A iff CVM ^ /\W ^ D,. 

According to the reflexivity axiom the implication /\W Di is provable for all 
such Di, so all Di are true in M. Thus, according to (1), the configuration v{t) 
is correct in M. So, 

M ^t:C iSv{C) Gv(t). 

On the other hand, because of (1) one has v{C) G v(t) iff OC G W, and, by the 
properties of W, 

t:CGWiS CPM V !\W 
It follows from this lemma that M ^ v{A). 

Let us now complete the construction of the model. The translation v is now 
defined for all proof terms from A, so, it is defined for all proof variables from 
A. For all other proof variables we put v{p) to be empty configuration. Now we 
have to define the operations Op appropriate to the translation v: 

(•) v{t) ■ u(s) ^ v{t • s), if t • s occurs in A, 

5\ ■ ^ {ip \ (j) ^ ^ G 5\ and (p ^ ^ 2 } for all other pairs of configurations. 

(+) v{t) + v(s) ^ v(t + s), if t + s occurs in A, 

Si + 62 ^ {ip \ Ip G 61 or (p G 62 } otherwise. 

(!) !(w(t)) 'c(lt), if It occurs in A, 

!5^{[i5]^/>|7/’Gi 5} for all other configurations. 

(?b) ^v(B){v{t)) ^ v{?Bt), if occurs in A, 

T(p{S) ^ if ip ^ S and empty configuration otherwise, for all other 

configurations S. 

Note, that the operations Op defined above are correct in M. Indeed, for 
those configurations which coincide with images of some proof terms from A it 
follows from the definition of the set Xa and from the properties of W. For all 
other configurations it follows from the correctness of the minimal operations. 
Thus, the model M = (*, Op, v) is constructed, such that M Y= A. 

Corollary 11 The logic CPM is decidable. 

Proof. It follows from the given proof that the logic CPM is complete under the 
class of finitely defined basic models for which only finite number of propositional 
variables are true, the operations Op are defined in the minimal way for all 
arguments except for the finite set, and only finite number of proof variables are 
interpreted by nonempty configurations. 

In fact, the detailed inspection of the proof allows to find the exact upper 
bounds on the complexity of the countermodel. 
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4 Arithmetical Completeness 

Let PROOF (x,y) denote the following multi-conclusion version of the standard 
Godel proof predicate for Peano arithmetic PA: 

“x is a number of a finite set of derivations in PA, and y is a number of a 
formula, proved by one of this derivations” . 

It has the following natural properties (in what follows Th{n) stands for the set 
W\PROOF{n, M)}): 

1. For every finite set 17 of theorems of PA there exists a natural number n 
such that 17 = Th{n). 

2. For any arithmetical formula '4>{x) with one free variable x and any natural 
numbers m, n the following holds: 

PA h PROOF {m, l’V'(n)l) fn > n. 

Below, instead of the predicate PROOF we may consider any proof predicate 
with these two properties. 

An arithmetical interpretation / of the language CPAi is organized as follows: 

— arithmetical sentences are assigned to all propositional variables; 

— computable functions and ?(, on natural numbers are defined in such 

a way that the corresponding operational properties are satisfied; 

— numerals are assigned to all proof variables. 

Interpretation / commutes with boolean connectives and operations on proofs 
and 

=?'^(^)(/(t)), f{t:A) = PROOFim, \f{A)^). 

Theorem 2 Let A be any formula in the language LVAi. Then the following 
holds 

a) if LVAi F A then PA h f{A) for all arithmetical interpretations f; 

b) if LVAi \f A then there exists arithmetical interpretation f such that 
PA\-^f{A). 

Proof, a) Straightforward induction on the length of proof in CPM . 

b) Let A be unprovable in CPAA. Then there exists a basic model M, such 
that M ^ -lA. It was already mentioned above that we can take M to be finitely 
defined. First of all we define arithmetical assignment for propositional variables 
in the following way: 

^ ^ — b ^ ^ j 

J \ otherwise . 

It is clear that for every pure propositional formula Lp one has 



M \= tp ^ PA h f{p). 



(2) 
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Firstly, we are going to extend the definition of / to all formulas of the 
languages and to keep the condition ( 2 ) true. 

Let (5 = {v 3 i, ■ • ■ , be a finite set of L'^-formulas such that the assignment 
f{ipi ), . . . , f{<fn) is already defined. If all formulas /((/?i), • ■ • , f{‘Pn) are provable 
in PA then put f{6) to be the least natural number n such that 

Th{n) = 



Otherwise, take f{S) to be the least natural number n which is not a Godel 
number of any set of proofs, and such that it was not defined to be the /-image 
for another configuration S' . 

Stipulating that f{[S](p) ^ PROOF{f{S), f{(p)) the interpretation / could 
be defined for all formulas of the language . One can easily check that / has 
the following properties: 

1 . for every formula ip in the language the formula f{ip) is arithmetical 
Z\i-sentence; 

2 . / is computable; 

3 . /“^ is computable too, namely, for every arithmetical sentence one can ef- 
fectively either find its pro-image or establish that it is not an image of some 
L'^-formula; the same holds for configurations: for every natural number n 
one can effectively either find the corresponding configuration, or establish 
that n is not an image of any L'^-configuration; 

4 . / is injective, i.e. if /(v?) coincides with /(/>) then ip and ip coincide too; 

5 . the condition ( 2 ) holds for every formula in the language 

6 . an arbitrary nonempty configuration 6 is correct in M if and only if f(6) is 
a Godel number of some multiple proof in PA. 



Now, using the interpretation of the language LPM into the language 
given with the basic model M we can extend definition of / to all formulas of 
the language CPM. 

For proof terms put f{t) ^ f{v{t)). The only thing we need to do is an 
appropriate definition of arithmetical functions ! and ?. The properties 



2 4 , 6 listed above allows us to carry this definition from the model M. We 

define: 



m) +' f{S2) 



fiSs) iff 61-62 = 63; 
fiSs) iff 61 + 62 = S3; 
f{S2) iff !^1 = <52; 

f{S2) iff ?^Si = 62. 



In case not all of the arguments are images of some configurations define the 
result in arbitrary computable way. 

Since the model M is finitely defined the operations defined in such a way 
are computable. It is clear that the condition ( 2 ) remains true for all formulas 
of the language CPM. So, PA I — 'f(A). Q.E.D. 
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5 Protocolling Extensions of Theories 

In this section we generalize arithmetical semantics in the following way. Let us 
fix an arbitrary consistent recursively enumerable theory T. We assume that all 
tautologies in the language of T are provable in T and the modus ponens rule is 
admissible. Also we assume that T is given by some decidable set of axioms and 
rules of inference. 

Consider now a non-deterministic theorem proving device Mt which works 
as follows. At each moment the configuration of Mt is characterized by a finite 
set of formulas in the language of T. The computational process of Mt satisfies 
the following conditions (below, f2i denotes a configuration of Mt at the moment 
i): Mt starts from the empty set of formulas, so = 0, and there are two ways 
to obtain from fip 

1. (deduction) = 17^ U {ip}, where p is 

— either a tautology in the language of T, 

— or an axiom of T, 

— or immediate consequence of some formulas from f2i by one of the rules 
of inference; 

2. (clearing of memory) \ {i^}, where p £ fii. 

Any finite sequence of configurations f2\, . . . , L2„ which satisfies these condi- 
tions will be called a protocol for Mt- We say that the given protocol verifies 
formula (p if (p G 17„. We say that Mt verifies formula (p if there exists a protocol 
for Mt which verifies (p. 

It is clear that Mt verifies (p if and only if is a theorem of T. 

Suppose now that Mt is strong enough to analyze its own protocols. Namely, 
given a list of configurations tt and a formula p> it can decide whether tt is 
a protocol for Mt which verifies ip or not (such a procedure exists since the 
corresponding relation is decidable). Also, it means that the device is able to 
operate with the set of atomic formulas extended in the following way: 

if 7T is a list of configurations and is a formula then ['K\ip is also a formula 

denoting the fact that tt verifies (p. 

Now, the corresponding item in the description of the process of computation 
looks as follows: 

1. (deduction) U {ip}, where ip is 

— either a tautology in the extended language, 

— or an axiom of T, 

— or immediate consequence of some formulas from 17^ by one of the rules 
of inference; 

— or has the form [tt]-)/), where tt verifies ip, 

— or has the form -'[irjip, where tt does not verify ip. 
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This advanced version of the device Mt will be denoted by M^. 

Such an extension of the proving device described above corresponds to the 
following extension T® of the theory T. The language of T® is an extension of 
the language of T by the formulas of kind [tt]')/;. The set of axioms is extended 
by all tautologies in the extended language and formulas of the form where 
7T verifies ip, and -'['K\ip, where tt does not verify ip. It is clear that T® h if and 
only if verifies ip. 

Now we can define the protocolling semantics for the logic CVM.. Let T® be 
the protocolling extension of a theory T. An interpretation / of the language of 
CVAi into the language of T® is a triple (*, Op, v) with the following parameters: 

* maps propositional variables to formulas in the language of T®; 

Op is a set of operations +', !' and defined on the set of all protocols of 

which satisfy the corresponding operational axioms of CVM ', 

V maps every proof variable to a protocol for M^. 

Stipulating that / commutes with boolean connectives and operations it could 
be extended to the set of all formulas and proof terms of the language CVM.. In 
particular, 

fit-. A) = [fit)]f{A). 

Theorem 3 Suppose that T is a theory and A is an arbitrary formula in the 
language of CVM. Then 

a) if CVM L A then for any interpretation f one has T® h /(A); 

b) if CVM \f A then there exists an interpretation f such that T® I — '/(A). 

Sketch of proof. The first proposition of the theorem follows by straightforward 
checking of all axioms of CVM to be provable in T® under any interpretation. 

To prove the proposition (b) we use the completeness of CVM with respect 
to the basic models. Let M be a basic model such that M ^ A. One can embed 
M into r® in the following way. If a propositional variable Si is true in M then 
we put fniSi) to be a tautology in the language of T®, otherwise put fniSi) to 
be any inconsistent sentence. The only thing one should care about is injectivity 
of the embedding: different formulas of CVM should be interpreted by different 
formulas of T®. It is clear that for every correct configuration S = {v^i, • ■ • j Tn} 
the corresponding formulas will be provable in T®. So, there exists a protocol 
ITS for M|. which verifies the set of formulas {/m(<Pi), • ■ ■ , /M(</^n)}- We put 
/m(^) ^ 7T5. The operations are treated in the obvious way. 

Since M |= -lA, one has T® I — 'fiviiA) for the described interpretation /m- 

6 First Order Case 

The study of first order logic of proofs was initiated in pl . Given an arithmetical 
theory T and a class /C of proof predicates the logic QCViciT) is defined as 
the set of all formulas in the corresponding language described below, which are 
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provable in T under every arithmetical interpretation based on a proof predicate 
from 1C. It was shown there that for different natural classes /C and theories T 
the corresponding logic QCPk.{T) is not effectively axiomatizable. 

In this section we consider the first order logic QCVm prove arithmetical 
completeness theorem for it. 

6.1 The Main Definition 

The language of the first order logic of proofs QCPm is the extension of the pure 
predicate language with infinite set of proof variables pi,p 2 , ■ ■ ■, proof predicate 
t:F, and symbols of operations •, +, !, 1a (the same as in the propositional case) 
and infinite set of new unary operational symbols gi, g 2 , ■ ■ for the operation of 
generalization over the corresponding individual variables xi,X 2 , ■ ■ ■■ 

Formulas and proof terms of the language QCVm are constructed as follows: 

1. if Q is any n-ary predicate symbol and yi,. ■ ■ ,yn are individual variables 
then Q{yi , . . . , y„) is a formula; 

2. if A, B are formulas then -<A, {A A B), (A V B), {A — >■ B) are formulas too; 

3. if is a formula, and xi is an individual variable then VxiT is a formula too, 
and Xi is excluded from the set of free variables in A] 

4. proof variables pi,p 2 , ■ ■ ■ are proof terms; 

5. if s, t are proof terms then (s • t), (s -I- t), !t, gi{t) are proof terms too; 

6. if t is a proof term and A is a formula then 1 a{1) is a proof term; 

7. if ^ is a formula, t is a proof term then {t \ A) is a (quasiatomic) formula 
with no free variables, i.e. the proof operator bounds all free occurrences of 
individual variables in A. 



Definition 3 The logic QCVm is defined by the following axioms ( over the first 
order calculus in the extended language). 



1 . 

2 . 

3. 

I 

5. 

6 . 

1 . 



Operational axioms: 

s: (yl — >■ B) — >■ (t : A — >■ {s ■ t):B) (composition), 

(t:A) V (s:7l) — >■ (t-|-s):7l (non- deterministic choice), 
t:A^lt:{t:A) (verification), 

>■ {1 At):{-'t\A) (negative introspection), 
t:A — >■ gi{t) :\/xiA (generalization) , 

General axioms: 
t:A^A (refiexivity), 

-<(ti : Ai{t 2 ) A t 2 : ^ 2 (^ 3 ) A . . . A : T„(ti)) (monotonicity) . 
The rules of inference: ^ (modus ponens) , 



( generalization ) . 



6.2 Arithmetical Semantics 

Let T be any consistent extension of PA with decidable set of axioms. We suppose 
that Godel numbering of arithmetical language is fixed, so for every such a theory 
we may consider multi-conclusion version of the standard proof predicate: 
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“x is a number of a finite set of derivations in T, and y is a number of a 
formula, proved by one of these derivations” . 

The corresponding arithmetical formula is denoted by PROOFT{x,y). 

An arithmetical interpretation fx of the language QCVm is organized in the 
following way: 

— every atomic formula is interpreted by an arithmetical formula with the same 
set of free variables; 

— /t commutes with the Boolean connectives, quantifiers and substitution of 
variables, i.e. if fxiQix)) = 'fix) then friQiv)) = f{y)', 

— every proof variable is interpreted by a natural number; 

— totally computable functions -',+',!',?'^ and g) for all i and f are defined, 
which satisfy the operational axioms 1-5 of the logic QCPmi i-e- 

• if PROOFxin^if — >■ V’l) and PROOFTim, \(p)) then PROOFTin ■' 
m, [V’D; 

• if not PROOFTin, [(/?]) then PROOF xi’^-'^in), \~'PROOFxin, |":pl)l); 

• if PROOFxin, \f]) then PROOF xig[in), \'ixiip\) etc. 

for any natural numbers i, m, n and arithmetical formulas f and if) ; 

— using these functions the interpretation of proof terms is computed; 

— fxit: A) ^ PROOFxiM^, \fxiA))). 



6.3 Arithmetical Completeness 

Theorem 4 Let A be any formula in the language QCVm ■ Then 

a) if QCVm I” A then for every theory T and interpretation fx one has 
T V- fxiA); 

b) if QCVm ^ ^ then there exists an extension T of PA by finite set of true 
sentences and interpretation fx such that T \f fxiA). 

Sketch of proof, a) Straightforward induction on the proof in QCVm- 

b) Scheme of the proof is the following. Firstly, we build finite set Xa of 
quasiatomic formulas which are adequate to A. Using this set we turn from the 
fact that QCVm ^ A to the fact of nonprovability of the implication — >• A* 

in the first order calculus for the conjunction Ka and translation * described 
below. According to the arithmetical formalization of the Godel completeness 
theorem there exists arithmetical interpretation h of the pure predicate language 
such that hiK\ — >■ A*) is false in the standard model N of arithmetic. Then, 
by combining the translation * and interpretation h we construct the desired 
theory T and interpretation fx- 

Let Tm(A) denote the set of all proof terms which occur in A. The set Xa 
is defined as the minimal set of quasiatomic formulas such that 

1. all quasiatomic subformulas of A belong to Xa; 

2. if (s • t) G Tto(A) and s: (B — >■ C) G Xa, t:C € Xa then s -t:C G Xa; 

3. if (s + t) G Tm(A) and either s:Bg Xa, or t:B G Xa then s + t:B G Xa; 

4. if (!t) G Tm(A) and t\B G Xa then H:t:B G Xa; 
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5. if gi{t) G Tm(A) and t:B G Xa then gi{t) : (^XiB) G Xa\ 

6. if ? s(t) G Tm{A) then ?B(t) : {-^t\B) G Xa- 

One can show by induction of the length of a proof term t that for every t G 
Tm{A) the set {A \t:AG Xa} is finite. So, Xa is finite too. 

Let Ka denote the conjunction of all proper axioms of QCVm which use only 
formulas from Xa- For axiom 6 we take its universal closure. 

Consider now a translation * of the language QCVm into the pure predicate 
language which substitutes corresponding fresh propositional variables St-.F for 
all the occurrences of quasiatomic formula t : F. 

It leaves unchanged all pure predicate formulas, and every quasiatomic for- 
mula t : F is interpreted by some fresh propositional variable, say St-.F- We 
stipulate that * commutes with Boolean connectives, quantifiers and operation 
of renaming of individual variables. 

One can easily verify that implication K\ — > A* is not provable in the first 
order calculus, since QCVm ^ So, according to the arithmetical formalization 
of the Godel completeness theorem for the first order calculus (see 0), there 
exists an arithmetical interpretation h of the pure predicate language, such that 
the formula h{K\ — )> A*) is false in N, i.e. N (= h*{KA) A -ih*{A). 

The composition of * and h (denoted by h*) is arranged very similar to the 
desirable interpretation fx- Indeed, it assigns to every atomic predicate formula 
some arithmetical formula with the same set of free variables, it commutes with 
boolean connectives, quantifiers and operation of renaming variables, and N |= 
~'h*{A). Unfortunately, h* does not correlate with provability, but it can be 
fixed. 

Without loss of generality one may assume that for every propositional vari- 
able S either h{S) = T or h{S) = _L for T ^ (0 = 0), _L ^ (0 = 1). 

Recall that for every quasiatomic formula t : F from Xa the implication 
t:F — )> F is included into Ka- So, if h*(t:F) = T then N ^ h*{F). 

Now we can define the desired extension T of PA: 

T = PA + {h*{F) I t:FG Xa and h*{t:F) = T}. 

It follows from the observation above that all additional axioms are true in N. 

We define friQ) ^ h*{Q) for all pure predicate formulas. For all proof 
variables not occurring in A put /t(p) ^ 0. Now we are going to define in- 
terpretation fx for all proof terms from Tm{A), and then the corresponding 
computable functions for the operations on proofs will be provided. 

Consider a partial order on Tm{A) which is the transitive closure of the 
following relation: t\ -< t 2 iff for some formula B{t\) one has t 2 : B{t{) G Xa and 
h* {± 2 '- B{t\)) = T. This order is well founded, since the monotonicity axiom for 
all such formulas is included in Ka- 

Consider a term t, which is minimal with respect to this order relation. The 
set Sl{t) {F \ t : F G Xa and h*{t : F) = T} contains only pure predicate 
formulas, therefore the interpretation fx is already defined for them. On the 
other hand, according to the definition of T the results of translation of all these 
formulas are axioms of T. So, there are infinitely many proofs of the set fx{C^{t))- 
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We define frit) to be Godel number of one of them. The only thing one should 
care about is the injectivity of fx on the set Tm{A). It will be needed for the 
appropriate definition of operations. 

Thus, fx is defined for all minimal proof terms. One can easily see that for 
every formula F in the language QCVm if Jt{F) is already defined then the 
following condition holds: 



PA h fx{F) o h*{F) (3) 

Let now t G Tm{A) be a minimal proof term such that fx{t) is not defined. 
Then, for every formula F G f2(t) the interpretation fx{F) is already defined. 
On the other hand, according to property (3) all formulas from fx{f^{t)) are 
equivalent in PA to some axioms of T. So, they are provable in T, and we can 
define fx{t) as Godel number of a proof of this set of formulas. It is clear, that 
for the extended version of fx the condition (3) remains true. In a finite number 
of steps the definition of fx can be extended to all proof terms from Tm{A). 
Then, following this definition one easily can define the appropriate computable 
functions for operations of proofs (see the corresponding part in the proofs of 
theorems Q] and I2D. 

So, according to the condition (3) one has N \= ~'fx{A), since N |= ~'h*{A). 
Hence, T \f fx{A). 
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